Security News > 2024 > April > Critical Rust flaw enables Windows command injection attacks
Threat actors can exploit a security vulnerability in the Rust standard library to target Windows systems in command injection attacks.
Tracked as CVE-2024-24576, this flaw is due to OS command and argument injection weaknesses that can let attackers execute unexpected and potentially malicious commands on the operating system.
"The Rust Security Response WG was notified that the Rust standard library did not properly escape arguments when invoking batch files on Windows using the Command API," the Rust Security Response working group said.
All Rust versions before 1.77.2 on Windows are affected if a program's code or one of its dependencies invokes and executes batch files with untrusted arguments.
As a result, they had to improve the robustness of the escaping code and modify the Command API. If the Command API cannot safely escape an argument while spawning the process, it returns an InvalidInput error.
"If you implement the escaping yourself or only handle trusted inputs, on Windows you can also use the CommandExt::raw arg method to bypass the standard library's escaping logic," the Rust Security Response WG added.
News URL
Related news
- Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (source)
- Rust rustles up fix for 10/10 critical command injection bug on Windows in std lib (source)
- FBI: Critical infrastructure suffers spike in ransomware attacks (source)
- March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V (source)
- Public anxiety mounts over critical infrastructure resilience to cyber attacks (source)
- US sanctions APT31 hackers behind critical infrastructure attacks (source)
- Cyber attacks on critical infrastructure show advanced tactics and new capabilities (source)
- Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks (source)
- Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-04-09 | CVE-2024-24576 | Rust is a programming language. | 0.0 |