Threat actors can exploit a security vulnerability in the Rust standard library to target Windows systems in command injection attacks.
Tracked as CVE-2024-24576, this flaw is due to OS command and argument injection weaknesses that can let attackers execute unexpected and potentially malicious commands on the operating system.
GitHub rated this vulnerability as critical severity with a maximum CVSS base score of 10/10. Unauthenticated attackers can exploit it remotely, in low-complexity attacks, and without user interaction.
“The Rust Security Response WG was notified that the Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API,” the Rust Security Response working group said.
“An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical if you are invoking batch files on Windows with untrusted arguments. No other platform or use is affected.”
All Rust versions before 1.77.2 on Windows are affected if a program’s code or one of its dependencies invokes and executes batch files with untrusted arguments.
The Rust security team faced a significant challenge when dealing with cmd.exe’s complexity since they couldn’t find a solution that would correctly escape arguments in all cases.
As a result, they had to improve the robustness of the escaping code and modify the Command API. If the Command API cannot safely escape an argument while spawning the process, it returns an InvalidInput error.
“If you implement the escaping yourself or only handle trusted inputs, on Windows you can also use the CommandExt::raw_arg method to bypass the standard library’s escaping logic,” the Rust Security Response WG added.
In February, the White House Office of the National Cyber Director (ONCD) urged technology companies to adopt memory-safe programming languages like Rust. The end goal is to improve software security by minimizing the number of memory safety vulnerabilities.