Researchers have disclosed an out-of-bounds learn vulnerability within the Squirrel programming language that may be abused by attackers to interrupt out of the sandbox restrictions and execute arbitrary code inside a SquirrelVM, thus giving a malicious actor full entry to the underlying machine.
Tracked as CVE-2021-41556, the problem happens when a sport library known as Squirrel Engine is used to execute untrusted code and impacts steady launch branches 3.x and a couple of.x of Squirrel. The vulnerability was responsibly disclosed on August 10, 2021.
Squirrel is an open-source, object-oriented programming language that is used for scripting video video games and in addition to in IoT units and distributed transaction processing platforms reminiscent of Enduro/X.
“In a real-world state of affairs, an attacker might embed a malicious Squirrel script right into a neighborhood map and distribute it by way of the trusted Steam Workshop,” researchers Simon Scannell and Niklas Breitfeld said in a report shared with The Hacker Information. “When a server proprietor downloads and installs this malicious map onto his server, the Squirrel script is executed, escapes its VM, and takes management of the server machine.”
The recognized safety flaw considerations an “out-of-bounds entry by way of index confusion” when defining Squirrel lessons that might be exploited to hijack the management move of a program and achieve full management of the Squirrel VM.
Whereas the problem has been addressed as a part of a code commit pushed on September 16, it is price noting that the adjustments haven’t been included in a brand new steady launch, with the final official model (v3.1) launched on March 27, 2016. Maintainers who rely on Squirrel of their initiatives are extremely really useful to use the most recent fixes by rebuilding it from supply code so as to shield towards any assaults.