CVE-2024-24576 has a maximum CVSS score of 10.0.
Codename: CVE-2024-24576. Location: in Rust. Target: Windows users. CVSS score: 10.0. Nickname given by its scout: “ BatBadBut “. It was in fact the security researcher for the company Flatt Security Inc., RyotaK, who discovered it.
“ BatBadBut is a vulnerability that allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when specific conditions are met “, he explains.
Specifically affecting Windows users, this flaw presents a high risk, since it displays a severity score of 10.0 on the CVSS scale, the Common Vulnerability Scoring System, the standardized rating system for vulnerabilities. As a reminder, above 7, they go from a “medium” to “significant” severity level.
How BatBadBut Works
BatBadBut results from faulty handling of arguments when launching batch files under Windows. This vulnerability allows attackers to execute arbitrary shell commands, bypassing intended security mechanisms. The Rust Security Response Working Group published an advisory on April 9, 2024, alerting the community to the risks associated with this flaw.
The vulnerability affects all versions of Rust prior to 1.77.2. It was discovered by RyotaK and reported to CERT/CC, which coordinates responses to cybersecurity incidents. The impact of this flaw is significant because it affects several programming languages and stems from the way they use Windows’ CreateProcess function. Programming languages often lack robust validation mechanisms for command execution, which opens the door to malicious exploitation.
However, RyotaK is tempering. “ Exploitation of these behaviors is possible when the following conditions are met:
the application executes a command on Windows
the application does not specify the file extension of the command, or the file extension is .batou.cmd,
the command being executed contains user-controlled input as part of the command arguments,
and the programming language runtime fails to properly escape cmd.exe command arguments 2 », he explains.
RyotaK and CERT-CC recommendations
Faced with the threat posed by the BatBadBut vulnerability, prevention and mitigation measures are essential. RyotaK puts itself in the shoes of potentially affected users and recommends moving batch files to a directory not included in the PATH environment variable to avoid their accidental execution. This approach requires specifying the full path for executing batch files, thereby reducing the risk of exploitation. He also advises developers on a specific approach. “ As developers who run commands on Windows, but don’t want to run batch files, you should always specify the file extension of the command. »
CERT/CC highlights the importance of developers being vigilant when executing commands on Windows platforms. Until all programming languages resolve this issue, caution is advised. Updating to Rust version 1.77.2 is also recommended for affected users to protect against this critical vulnerability.
And if you’re wondering what the name BatBadBut means, Ryotak explains that as a big fan of puns, he named it that way because this flaw concerns Batch and Bad files, but (Goal in English) not the worst. Logical, but cute.
Sources: Cy Security News, Flatt Security, Rust, CERT-CC
3