Windows devices could be targeted with command injection attacks exploiting the maximum severity Rust standard library vulnerability, tracked as CVE-2024-24576, The Hacker News reports.
All Rust versions earlier than 1.77.2 are affected by the flaw, also known as BatBadBut, which stems from the programming language's wrapping of the CreateProcess function and escaping mechanism inclusion in the command arguments, according to Flatt Security security engineer RyotaK, who identified and reported the flaw to the CERT Coordination Center. Additional advice from the Rust Security Response working group noted that arbitrary shell command execution was possible due to Rust's improper argument escape during the batch file invoking process.
"To prevent the unexpected execution of batch files, you should consider moving the batch files to a directory that is not included in the PATH environment variable. In this case, the batch files won't be executed unless the full path is specified, so the unexpected execution of batch files can be prevented," said RyptaK.
