Researchers have disclosed an out-of-bounds read vulnerability
in the Squirrel programming language that can be abused by
attackers to break out of the sandbox restrictions and execute
arbitrary code within a SquirrelVM, thus giving a malicious actor
complete access to the underlying machine.
Tracked as CVE-2021-41556[1], the issue occurs when a
game library referred to as Squirrel Engine[2] is used to execute
untrusted code and affects stable release branches 3.x and 2.x of
Squirrel. The vulnerability was responsibly disclosed on August 10,
2021.
Squirrel[3] is an open-source,
object-oriented programming language that’s used for scripting
video games and as well as in IoT devices and distributed
transaction processing platforms such as Enduro/X.
“In a real-world scenario, an attacker could embed a malicious
Squirrel script into a community map and distribute it via the
trusted Steam Workshop,” researchers Simon Scannell and Niklas
Breitfeld said[4]
in a report shared with The Hacker News. “When a server owner
downloads and installs this malicious map onto his server, the
Squirrel script is executed, escapes its VM, and takes control of
the server machine.”
The identified security flaw concerns an “out-of-bounds access
via index confusion” when defining Squirrel classes that could be
exploited to hijack the control flow of a program and gain full
control of the Squirrel VM.
While the issue has been addressed as part of a code
commit[5] pushed on September 16,
it’s worth noting that the changes have not been included in a new
stable release, with the last official version (v3.1) released on
March 27, 2016. Maintainers who depend on Squirrel in their
projects are highly recommended to apply the latest fixes by
rebuilding it from source code in order to protect against any
attacks.
References
- ^
CVE-2021-41556
(cve.mitre.org) - ^
Squirrel Engine
(github.com) - ^
Squirrel
(github.com) - ^
said
(blog.sonarsource.com) - ^
code commit
(github.com)