Scientists have disclosed an out-of-bounds read vulnerability in the Squirrel programming language that can be abused by attackers to split out of the sandbox restrictions and execute arbitrary code inside a SquirrelVM, consequently giving a destructive actor entire access to the underlying device.
Tracked as CVE-2021-41556, the issue happens when a video game library referred to as Squirrel Engine is applied to execute untrusted code and affects stable release branches 3.x and 2.x of Squirrel. The vulnerability was responsibly disclosed on August 10, 2021.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Squirrel is an open-supply, object-oriented programming language that’s utilised for scripting video video games and as nicely as in IoT products and distributed transaction processing platforms this sort of as Enduro/X.
“In a true-globe situation, an attacker could embed a destructive Squirrel script into a group map and distribute it via the trusted Steam Workshop,” researchers Simon Scannell and Niklas Breitfeld reported in a report shared with The Hacker News. “When a server owner downloads and installs this destructive map on to his server, the Squirrel script is executed, escapes its VM, and can take handle of the server equipment.”
The determined security flaw considerations an “out-of-bounds accessibility via index confusion” when defining Squirrel courses that could be exploited to hijack the regulate circulation of a method and obtain total handle of the Squirrel VM.
Although the issue has been addressed as component of a code dedicate pushed on September 16, it really is worthy of noting that the changes have not been included in a new stable release, with the previous official edition (v3.1) unveiled on March 27, 2016. Maintainers who depend on Squirrel in their jobs are extremely encouraged to utilize the most up-to-date fixes by rebuilding it from supply code in get to protect in opposition to any attacks.
Located this report exciting? Adhere to THN on Facebook, Twitter and LinkedIn to read more exclusive content material we put up.
Some sections of this posting are sourced from:
thehackernews.com