Vulnerability Management, Patch/Configuration Management

Command injection attacks likely with critical Rust vulnerability

Source PC website developer. Real software development code. JavaScript code in text editor. Computer interface. Abstract technology background. Java Software engineer concept.

Windows devices could be targeted with command injection attacks exploiting the maximum severity Rust standard library vulnerability, tracked as CVE-2024-24576, The Hacker News reports.

All Rust versions earlier than 1.77.2 are affected by the flaw, also known as BatBadBut, which stems from the programming language's wrapping of the CreateProcess function and escaping mechanism inclusion in the command arguments, according to Flatt Security security engineer RyotaK, who identified and reported the flaw to the CERT Coordination Center. Additional advice from the Rust Security Response working group noted that arbitrary shell command execution was possible due to Rust's improper argument escape during the batch file invoking process.

"To prevent the unexpected execution of batch files, you should consider moving the batch files to a directory that is not included in the PATH environment variable. In this case, the batch files won't be executed unless the full path is specified, so the unexpected execution of batch files can be prevented," said RyptaK.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.