Vulnerability CVE-2021-42574

Vulnerability Name:

CVE-2021-42574 (CCN-212526)

Assigned:

2021-10-31

Published:

2021-10-31

Updated:

2022-10-25

Summary:

** DISPUTED ** An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers.
Note: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.

CVSS v3 Severity:

8.3 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
7.2 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

8.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
7.4 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

5.1 Medium (CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-94
CWE-838

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2021-42574

Source: CCN
Type: US-CERT VU#999008
Compilers permit Unicode control and homoglyph characters

Source: MLIST
Type: Exploit, Mailing List, Mitigation, Third Party Advisory
[oss-security] 20211101 CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code

Source: MLIST
Type: Exploit, Mailing List, Third Party Advisory
[oss-security] 20211101 Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20211102 Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20211101 Trojan Source Attacks

Source: MLIST
Type: Mailing List
[oss-security] 20211102 Re: Trojan Source Attacks

Source: CCN
Type: Unicode Web site
Unicode 14.00

Source: MISC
Type: Release Notes, Vendor Advisory
http://www.unicode.org/versions/Unicode14.0.0/

Source: CCN
Type: Rust Blog, Nov. 1, 2021
Security advisory for rustc (CVE-2021-42574)

Source: CCN
Type: Red Hat Bugzilla - Bug 2005819
(CVE-2021-42574) - CVE-2021-42574 Developer environment: Unicode's bidirectional (BiDi) override characters can cause trojan source attacks

Source: XF
Type: UNKNOWN
unicode-cve202142574-code-exec(212526)

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-443139f67c

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-7ad3a01f6a

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-0578e23912

Source: GENTOO
Type: Third Party Advisory
GLSA-202210-09

Source: MISC
Type: Exploit, Technical Description, Third Party Advisory
https://trojansource.codes

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: IBM Security Bulletin 6568365 (QRadar Network Packet Capture)
IBM QRadar Network Packet Capture is using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6586492 (MQ Operator CD release)
IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from expat, Golang Go, gcc, openssl and libxml.

Source: CERT-VN
Type: Third Party Advisory, US Government Resource
VU#999008

Source: CCN
Type: oss-sec Mailing List, Mon, 1 Nov 2021 01:01:46 +0100
CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code

Source: CCN
Type: Rust Web site
Rust

Source: MISC
Type: Exploit, Mitigation, Third Party Advisory
https://www.scyon.nl/post/trojans-in-your-source-code

Source: MISC
Type: Third Party Advisory
https://www.starwindsoftware.com/security/sw-20220804-0002/

Source: MISC
Type: Technical Description, Vendor Advisory
https://www.unicode.org/reports/tr31/

Source: MISC
Type: Technical Description, Vendor Advisory
https://www.unicode.org/reports/tr36/

Source: MISC
Type: Technical Description, Vendor Advisory
https://www.unicode.org/reports/tr39/

Source: MISC
Type: Technical Description, Vendor Advisory
https://www.unicode.org/reports/tr9/tr9-44.html#HL4

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-42574

Vulnerable Configuration:

Configuration 1:

cpe:/a:unicode:unicode:*:*:*:*:*:*:*:* (Version < 14.0.0)

Configuration 2:

cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:starwindsoftware:starwind_virtual_san:v8r13:14398:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration RedHat 6:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 7:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 8:

cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

Configuration RedHat 9:

cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 10:

cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

Configuration CCN 1:

cpe:/a:rust-lang:rust:1.0.0:-:*:*:*:*:*:*

AND

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_network_packet_capture:7.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:112048	P	cargo1.56-1.56.1-1.1 on GA media (Moderate)	2022-01-17
oval:com.redhat.rhsa:def:20214743	P	RHSA-2021:4743: llvm-toolset:rhel8 security update (Moderate)	2021-11-18
oval:com.redhat.rhsa:def:20214649	P	RHSA-2021:4649: gcc-toolset-10-binutils security update (Moderate)	2021-11-15
oval:com.redhat.rhsa:def:20214593	P	RHSA-2021:4593: annobin security update (Moderate)	2021-11-10
oval:com.redhat.rhsa:def:20214590	P	RHSA-2021:4590: rust-toolset:rhel8 security update (Moderate)	2021-11-10
oval:com.redhat.rhsa:def:20214594	P	RHSA-2021:4594: gcc-toolset-11-binutils security update (Moderate)	2021-11-10
oval:com.redhat.rhsa:def:20214585	P	RHSA-2021:4585: gcc-toolset-10-gcc security update (Moderate)	2021-11-10
oval:com.redhat.rhsa:def:20214591	P	RHSA-2021:4591: gcc-toolset-11-annobin security update (Moderate)	2021-11-10
oval:com.redhat.rhsa:def:20214595	P	RHSA-2021:4595: binutils security update (Moderate)	2021-11-10
oval:com.redhat.rhsa:def:20214586	P	RHSA-2021:4586: gcc-toolset-11-gcc security update (Moderate)	2021-11-10
oval:com.redhat.rhsa:def:20214592	P	RHSA-2021:4592: gcc-toolset-10-annobin security update (Moderate)	2021-11-10
oval:com.redhat.rhsa:def:20214587	P	RHSA-2021:4587: gcc security update (Moderate)	2021-11-10
oval:com.redhat.rhsa:def:20214033	P	RHSA-2021:4033: binutils security update (Moderate)	2021-11-01

BACK