Rust

Threat actors can exploit a security vulnerability in the Rust standard library to target Windows systems in command injection attacks.

Tracked as CVE-2024-24576, this flaw is due to OS command and argument injection weaknesses that can let attackers execute unexpected and potentially malicious commands on the operating system.

GitHub rated this vulnerability as critical severity with a maximum CVSS base score of 10/10. Unauthenticated attackers can exploit it remotely, in low-complexity attacks, and without user interaction.

"The Rust Security Response WG was notified that the Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API," the Rust Security Response working group said.

"An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical if you are invoking batch files on Windows with untrusted arguments. No other platform or use is affected."

All Rust versions before 1.77.2 on Windows are affected if a program's code or one of its dependencies invokes and executes batch files with untrusted arguments.

Rust CVE-2024-24576 tweet

​The Rust security team faced a significant challenge when dealing with cmd.exe's complexity since they couldn't find a solution that would correctly escape arguments in all cases. 

As a result, they had to improve the robustness of the escaping code and modify the Command API. If the Command API cannot safely escape an argument while spawning the process, it returns an InvalidInput error.

"If you implement the escaping yourself or only handle trusted inputs, on Windows you can also use the CommandExt::raw_arg method to bypass the standard library's escaping logic," the Rust Security Response WG added.

Flatt Security engineer Ryotak discovered the vulnerability and dubbed it BatBadBut, says the flaw also impacts the following programming languages—however, not all of them have released patches:

  • Erlang (documentation update)
  • Go (documentation update)
  • Haskell (patch available)
  • Java (won’t fix)
  • Node.js (patch will be available)
  • PHP (patch will be available)
  • Python (documentation update)
  • Ruby (documentation update)

"To prevent the unexpected execution of batch files, you should consider moving the batch files to a directory that is not included in the PATH environment variable," Ryotak advised.

"In this case, the batch files won’t be executed unless the full path is specified, so the unexpected execution of batch files can be prevented."

In February, the White House Office of the National Cyber Director (ONCD) urged technology companies to adopt memory-safe programming languages like Rust. The end goal is to improve software security by minimizing the number of memory safety vulnerabilities.

Update: Added info on other vulnerable programming languages.

Related Articles:

Microsoft June 2024 Patch Tuesday fixes 51 flaws, 18 RCEs

Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws

CISA: Most critical open source projects not using memory safe code

Is your cybersecurity vendor transparent about vulnerability fixes?

Windows 11 KB5039212 update released with 37 changes, fixes