CVE-2021-42574
environment: Unicode's bidirectional (BiDi) override characters can cause trojan source attacks
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
7Exploited in Wild
-Decision
Descriptions
An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.
** EN DISPUTA** Se ha detectado un problema en el algoritmo bidireccional de la especificación Unicode hasta la versión 14.0. Permite la reordenación visual de los caracteres a través de secuencias de control, lo que puede ser utilizado para crear código fuente que se traduce en una lógica diferente a la ordenación lógica de los tokens ingeridos por los compiladores e intérpretes. Los adversarios pueden aprovechar esto para codificar el código fuente de los compiladores que aceptan Unicode, de manera que las vulnerabilidades objetivo se introduzcan de forma invisible para los revisores humanos. NOTA: el Consorcio Unicode ofrece el siguiente enfoque alternativo para presentar esta preocupación. Se observa un problema en la naturaleza del texto internacional que puede afectar a las aplicaciones que implementan la compatibilidad con el estándar Unicode y el algoritmo bidireccional Unicode (todas las versiones). Debido al comportamiento de la visualización del texto cuando éste incluye caracteres de izquierda a derecha y de derecha a izquierda, el orden visual de los tokens puede ser diferente de su orden lógico. Además, los caracteres de control necesarios para cumplir los requisitos del texto bidireccional pueden ofuscar aún más el orden lógico de las fichas. A menos que se mitigue, un adversario podría elaborar el código fuente de tal manera que el orden de los tokens percibido por los revisores humanos no coincida con el que será procesado por un compilador/interpretador/etc. El Consorcio Unicode ha documentado esta clase de vulnerabilidad en su documento, Informe Técnico de Unicode #36, Consideraciones de Seguridad de Unicode. El Consorcio Unicode también proporciona orientación sobre las mitigaciones para esta clase de problemas en la Norma Técnica de Unicode #39, Mecanismos de Seguridad de Unicode, y en el Anexo de la Norma de Unicode #31, Identificador de Unicode y Sintaxis de Patrones. Además, la especificación BIDI permite a las aplicaciones adaptar la implementación de manera que pueda mitigar la reordenación visual engañosa en el texto del programa; véase HL4 en el Anexo #9 del Estándar Unicode, Algoritmo Bidireccional Unicode.
A flaw was found in the way Unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text. An attacker could exploit this to deceive a human reviewer by creating a malicious patch containing well placed BiDi characters. The special handling and rendering of those characters can be then used in an attempt to hide unexpected and potentially dangerous behaviour from the reviewer.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2021-10-18 CVE Reserved
- 2021-11-01 CVE Published
- 2021-11-01 First Exploit
- 2024-07-17 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
- CWE-838: Inappropriate Encoding for Output Context
CAPEC
References (24)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2021/11/01/5 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2021/11/01/6 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2021/11/02/10 | Mailing List |
|
| https://www.kb.cert.org/vuls/id/999008 | Third Party Advisory |
|
| https://www.starwindsoftware.com/security/sw-20220804-0002 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://github.com/simplylu/CVE-2021-42574 | 2023-05-23 | |
| https://github.com/waseeld/CVE-2021-42574 | 2021-12-11 | |
| https://github.com/shiomiyan/CVE-2021-42574 | 2021-11-01 | |
| http://www.openwall.com/lists/oss-security/2021/11/01/1 | 2024-08-04 | |
| http://www.openwall.com/lists/oss-security/2021/11/01/4 | 2024-08-04 | |
| https://trojansource.codes | 2024-08-04 | |
| https://www.scyon.nl/post/trojans-in-your-source-code | 2024-08-04 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Unicode Search vendor "Unicode" | Unicode Search vendor "Unicode" for product "Unicode" | < 14.0.0 Search vendor "Unicode" for product "Unicode" and version " < 14.0.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Starwindsoftware Search vendor "Starwindsoftware" | Starwind Virtual San Search vendor "Starwindsoftware" for product "Starwind Virtual San" | v8r13 Search vendor "Starwindsoftware" for product "Starwind Virtual San" and version "v8r13" | 14398 |
Affected
| ||||||