|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "Security advisory for the standard library (CVE-2024-43402)" |
| 4 | +author: The Rust Security Response WG |
| 5 | +--- |
| 6 | + |
| 7 | +On April 9th, 2024, the Rust Security Response WG disclosed [CVE-2024-24576][1], |
| 8 | +where `std::process::Command` incorrectly escaped arguments when invoking batch |
| 9 | +files on Windows. We were notified that our fix for the vulnerability was |
| 10 | +incomplete, and it was possible to bypass the fix when the batch file name had |
| 11 | +trailing whitespace or periods (which are ignored and stripped by Windows). |
| 12 | + |
| 13 | +The severity of the incomplete fix is **low**, due to the niche conditions |
| 14 | +needed to trigger it. Note that calculating the CVSS score might assign a |
| 15 | +higher severity to this, but that doesn't take into account what is required to |
| 16 | +trigger the incomplete fix. |
| 17 | + |
| 18 | +The incomplete fix is identified by CVE-2024-43402. |
| 19 | + |
| 20 | +## Overview |
| 21 | + |
| 22 | +Refer to [the advisory for CVE-2024-24576][1] for details on the |
| 23 | +original vulnerability. |
| 24 | + |
| 25 | +To determine whether to apply the `cmd.exe` escaping rules, the original fix |
| 26 | +for the vulnerability checked whether the command name ended with `.bat` or |
| 27 | +`.cmd`. At the time that seemed enough, as we refuse to invoke batch scripts |
| 28 | +with no file extension. |
| 29 | + |
| 30 | +Unfortunately, [Windows removes trailing whitespace and periods][2] when |
| 31 | +parsing file paths. For example, `.bat. .` is interpreted by Windows as `.bat`, |
| 32 | +but our original fix didn't check for that. |
| 33 | + |
| 34 | +## Mitigations |
| 35 | + |
| 36 | +If you are affected by this, and you are using Rust 1.77.2 or greater, you can |
| 37 | +remove the trailing whitespace (ASCII 0x20) and trailing periods (ASCII 0x2E) |
| 38 | +from the batch file name to bypass the incomplete fix and enable the |
| 39 | +mitigations. |
| 40 | + |
| 41 | +Rust 1.81.0, due to be released on September 5th 2024, will update the standard |
| 42 | +library to apply the [CVE-2024-24576][1] mitigations to all batch files |
| 43 | +invocations, regardless of the trailing chars in the file name. |
| 44 | + |
| 45 | +## Affected versions |
| 46 | + |
| 47 | +All Rust versions before 1.81.0 are affected, if your code or one of your |
| 48 | +dependencies invoke a batch script on Windows with trailing whitespace or |
| 49 | +trailing periods in the name, and pass untrusted arguments to it. |
| 50 | + |
| 51 | +## Acknowledgements |
| 52 | + |
| 53 | +We want to thank Kainan Zhang (@4xpl0r3r) for responsibly disclosing this to us |
| 54 | +according to the [Rust security policy][3]. |
| 55 | + |
| 56 | +We also want to thank the members of the Rust project who helped us disclose |
| 57 | +the incomplete fix: Chris Denton for developing the fix, Amanieu D'Antras for |
| 58 | +reviewing the fix; Pietro Albini for writing this advisory; Pietro Albini, |
| 59 | +Manish Goregaokar and Josh Stone for coordinating this disclosure. |
| 60 | + |
| 61 | +[1]: https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html |
| 62 | +[2]: https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/file-folder-name-whitespace-characters |
| 63 | +[3]: https://www.rust-lang.org/policies/security |
0 commit comments