Researchers have disclosed an out-of-bounds learn vulnerability within the Squirrel programming language that may be abused by attackers to interrupt out of the sandbox restrictions and execute arbitrary code inside a SquirrelVM, thus giving a malicious actor full entry to the underlying machine.
Tracked as CVE-2021-41556, the difficulty happens when a sport library known as Squirrel Engine is used to execute untrusted code and impacts steady launch branches 3.x and a couple of.x of Squirrel. The vulnerability was responsibly disclosed on August 10, 2021.
Squirrel is an open-source, object-oriented programming language that is used for scripting video video games and in addition to in IoT units and distributed transaction processing platforms similar to Enduro/X.
“In a real-world situation, an attacker may embed a malicious Squirrel script right into a group map and distribute it by way of the trusted Steam Workshop,” researchers Simon Scannell and Niklas Breitfeld mentioned in a report shared with The Hacker Information. “When a server proprietor downloads and installs this malicious map onto his server, the Squirrel script is executed, escapes its VM, and takes management of the server machine.”
The recognized safety flaw issues an “out-of-bounds entry by way of index confusion” when defining Squirrel courses that could possibly be exploited to hijack the management stream of a program and achieve full management of the Squirrel VM.
Whereas the difficulty has been addressed as a part of a code commit pushed on September 16, it is value noting that the adjustments haven’t been included in a brand new steady launch, with the final official model (v3.1) launched on March 27, 2016. Maintainers who rely upon Squirrel of their initiatives are extremely beneficial to use the most recent fixes by rebuilding it from supply code with the intention to shield in opposition to any assaults.