{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2024-035.pdf" }, "title": "Critical Vulnerability in Rust on Windows", "serial_number": "2024-035", "publish_date": "10-04-2024 09:54:51", "description": "On April 9, 2024, the Rust Security Response WG issued a security advisory regarding a critical vulnerability in the Rust programming environment affecting Windows platforms. This flaw allows command injection attacks via crafted batch file executions with untrusted arguments.
\nIt is recommended updating as soon as possible, prioritising assets running code (or one of its dependencies) which executes batch files with untrusted arguments.
\n", "url_title": "2024-035", "content_markdown": "---\ntitle: 'Critical Vulnerability in\u00a0Rust\u00a0on\u00a0Windows'\nnumber: '2024-035'\nversion: '1.0'\noriginal_date: 'April 9, 2024'\ndate: 'April 10, 2024'\n---\n\n_History:_\n\n* _10/04/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn April 9, 2024, the Rust Security Response WG issued a security advisory regarding a critical vulnerability in the Rust programming environment affecting Windows platforms. This flaw allows command injection attacks via crafted batch file executions with untrusted arguments. \n\nIt is recommended updating as soon as possible, prioritising assets running code (or one of its dependencies) which executes batch files with untrusted arguments [1].\n\n# Technical Details\n\nThe vulnerability, identified as **CVE-2024-24576** with a CVSS score of 10, stems from improper sanitisation of command-line arguments which could be manipulated to execute arbitrary commands. This issue affects all Rust versions prior to 1.77.2 on Windows if a program's code or one of its dependencies invokes and executes batch files with untrusted arguments [1].\n\n# Affected Products\n\nAll Rust versions before 1.77.2 on Windows are affected [2].\n\n# Recommendations\n\nCERT-EU recommends upgrading Rust prioritising assets running code (or one of its dependencies) which executes batch files with untrusted arguments.\n\n# References\n\n[1] \n\n[2] \n\n", "content_html": "

History:

Summary

On April 9, 2024, the Rust Security Response WG issued a security advisory regarding a critical vulnerability in the Rust programming environment affecting Windows platforms. This flaw allows command injection attacks via crafted batch file executions with untrusted arguments.

It is recommended updating as soon as possible, prioritising assets running code (or one of its dependencies) which executes batch files with untrusted arguments [1].

Technical Details

The vulnerability, identified as CVE-2024-24576 with a CVSS score of 10, stems from improper sanitisation of command-line arguments which could be manipulated to execute arbitrary commands. This issue affects all Rust versions prior to 1.77.2 on Windows if a program's code or one of its dependencies invokes and executes batch files with untrusted arguments [1].

Affected Products

All Rust versions before 1.77.2 on Windows are affected [2].

Recommendations

CERT-EU recommends upgrading Rust prioritising assets running code (or one of its dependencies) which executes batch files with untrusted arguments.

References

[1] https://www.bleepingcomputer.com/news/security/critical-rust-flaw-enables-windows-command-injection-attacks/

[2] https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }