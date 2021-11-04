The National Institute of Cybersecurity of Spain (INCIBE) has warned of a security problem that researchers from the University of Cambridge have discovered. Is about 2 critical “vulnerabilities that affect most code compilers and to many software development environments. ”According to experts, these can be used to carry out supply chain attacks.

The resources affected are “virtually all code compilers”, the Unicode encoding standard, up to version 14.0 and the Rust programming language in versions 1.0.0 to 1.56.0. It must be remembered that Rust is a language that has been consolidated in recent years and even technology giants such as Google, Facebook or Microsoft have opted for it.

In Stack Overflow’s global survey of developers’ favorite programming languages, Rust was the highest rated in 2020 and also this 2021, with 86.69% of developers choosing Rust as the language they “love” the most. Still, it is not without its dangers.

For its part, Unicode, also affected, is a universal character set, that is to say, a standard in which all the characters necessary for the writing of the majority of the languages ​​spoken today that are used in a computer are defined.

How the exploit works

According to the information published by the INCIBE, with this exploit an attacker discovered could send teams a different code than originally intended, overriding the instructions of a program.

“The attack consists of using the control characters embedded in the comments and strings to reorder the characters in the source code, in a way that changes your logic, “according to the information discovered by the Cambridge researchers.

On the other hand, the vulnerability discovered in Unicode character definitions allows an attacker to produce source code identifiers, such as function names, using homoglyphs that are visually identical to a target identifier. Attackers can take advantage of it to inject code.

It has also been discovered a vulnerability in the Unicode bidirectional (Bidi) algorithm which could allow visual reordering of characters through control sequences. This could be used to create source code that translates into different logic than the ordering of the tokens received by compilers and interpreters. An attacker could take advantage of it to code the source code of compilers that accept Unicode.

Proposed solutions

To mitigate these vulnerabilities, the information shared by INCIBE recommends periodically check that some codepoints are not present in repositories or dependencies.

The codepoints are these: U + 202A, U + 202B, U + 202C, U + 202D, U + 202E, U + 2066, U + 2067, U + 2068 or U + 2069.

Also, who use Rust can update to version 1.56.1

