Rust Command Injection Vulnerability (CVE-2024-24576)

Apr 12, 2024 GMT+08:00

I. Overview

Recently, Rust has released an official security notice, disclosing a high-risk command injection vulnerability (CVE-2024-24576) in Rust versions earlier than 1.77.2. When the Rust Command API is used to invoke batch processing files (with .bat and .cmd file extensions) on Windows, attackers can exploit this vulnerability. By bypassing the argument escape function in the Rust standard library, they can execute arbitrary shell commands on the target host. The POC of this vulnerability has been disclosed and the risk is high.

Rust is an open-source system programming language that emphasizes performance, type safety, and concurrency If you are a Rust user, check your Rust versions and implement timely security hardening.

Reference link:

https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh

https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Rust < 1.77.2

Secure versions:

Rust  1.77.2

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

https://blog.rust-lang.org/2024/04/09/Rust-1.77.2.html

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.