Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2021.0229.2 Trojan Source: Invisible Vulnerabilities 2 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Unicode Directional Formatting Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Provide Misleading Information -- Existing Account Reduced Security -- Existing Account Resolution: Mitigation CVE Names: CVE-2021-42574 Revision History: November 2 2021: Released as an ALERT and some minor alterations to the Product and formatting. November 2 2021: Initial Release OVERVIEW An attacker could exploit Unicode Standards to deceive a human code reviewer to hide unexpected and potentially dangerous behavior. IMPACT "A flaw was found in the way Unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text. An attacker could exploit this to deceive a human reviewer by creating a malicious patch containing well placed BiDi characters. The special handling and rendering of those characters can be then used in an attempt to hide unexpected and potentially dangerous behaviour from the reviewer." [1] The vulnerability is tracked as CVE-2021-42574 and has the following CVSS score: 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H [1] MITIGATION Various suggestions for mitigation include: "Compilers, interpreters, and build pipelines supporting Unicode should throw errors or warnings for unterminated bidirectional control characters in comments or string literals, and for identifiers with mixed-script confusable characters. Language specifications should formally disallow unterminated bidirectional control characters in comments and string literals. Code editors and repository frontends should make bidirectional control characters and mixed-script confusable characters perceptible with visual symbols or warnings." [2] We are already seeing various patches for products being released that have added new switches to identify or disable these dangerous unicode sequences or have changed the default behaviour to address this issue. REFERENCES [1] Red Hat Customer Portal: CVE-2021-42574 https://access.redhat.com/security/cve/CVE-2021-42574 [2] Trojan Source: Invisible Source Code Vulnerabilities https://www.trojansource.codes/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYYCd/ONLKJtyKPYoAQjIExAArCrjuZvQw+wFLEAhDdE1a1tWj2VXbYJv V3XDN398DTgliqNuA1Oat5Z1hTzRJHFzhNpjy+SHHiYcwmZGVRnyQZaMs3bgpTDT c0crXx6wck06A60j0ZMpgHwnETQa3XicP2OqLhFmq/6ATLDbbc1mXByW6HQlmeBu wu4EN3naENJJ6PNfQy75cqM8/wUjkJur/8bqqteYg8CDz2FQ1xJMTSgYsgCEeD4I eys7PmslinZIDmVB/Ou1mBHQiV93OpH9Sziuzxwx35lTidVL6fDdAUOn5f8F1t7Q yMbjQ0/i0U40/pUzskoCpEPXG57CWfiXYWh6eegKjwuDOHsgg0aZviX1riGs2aD2 Z218eivp4RLwWK/vqB5oypImRzyDLfn8QVVDutsDt/U9avsNhVnzZZPnfPvQ/6os /nOEwFM9Pr9/UUFPLbHxOPL4IYOfvOa8J/FGQm33vLfIFR/TMeJVwzLFDrtvPdVj 3kbM+PqtBYqknCaDvgjgDmzRQHLC8z/Z7aRkCKrfQcHeg0qdA6M8rOSRohfLSzmC ypREBfJ9yVJ1RUlKVl7dbtvylycvTRFl8eiiDYgQDxrAsaHjgIvYlTLN1b6MGATt i3kEajt3yL9Urf+rQEk3WU0Q823PLLab/7ia7Saqdanh3oEP7kqa6PrjeLVFYj9C aVLPorAarho= =0wIh -----END PGP SIGNATURE-----