5.1 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
8.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
69.9%
Attacks that allow for unintended control of Unicode and homoglyphic characters, described by the researchers in this report leverage text encoding that may cause source code to be interpreted differently by a compiler than it appears visually to a human reviewer. Source code compilers, interpreters, and other development tools may permit Unicode control and homoglyph characters, changing the visually apparent meaning of source code.
Internationalized text encodings require support for both left-to-right languages and also right-to-left languages. Unicode has built-in functions to allow for encoding of characters to account for bi-directional, or Bidi ordering. Included in these functions are characters that represent non-visual functions. These characters, as well as characters from other human language sets (i.e., English vs. Cyrillic) can also introduce ambiguities into the code base if improperly used.
This type of attack could potentially be used to compromise a code base by capitalizing on a gap in visually rendered source code as a human reviewer would see and the raw code that the compiler would evaluate.
The use of attacks that incorporate maliciously encoded source code may go undetected by human developers and by many automated coding tools. These attacks also work against many of the compilers currently in use. An attacker with the ability to influence source code could introduce undetected ambiguity into source code using this type of attack.
The simplest defense is to ban the use of text directionality control characters both in language specifications and in compilers implementing these languages.
Two CVEs were assigned to address the two types of attacks described in this report.
CVE-2021-42574 was created for tracking the Bidi attack. CVE-2021-42694 was created for tracking the homoglyph attack.
Thanks to the reporters, Nicholas Boucher and Ross Anderson of The University of Cambridge (UK).
This document was written by Chuck Yarbrough.
999008
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2021-09-27 Updated: 2021-11-09
Statement Date: November 03, 2021
CVE-2021-42574 | Affected |
---|---|
CVE-2021-42694 | Affected VU#999008.1 |
We have not received a statement from the vendor.
Notified: 2021-10-26 Updated: 2021-11-09
Statement Date: November 04, 2021
CVE-2021-42574 | Affected |
---|---|
CVE-2021-42694 | Not Affected VU#999008.1 |
Regarding CVE-2021-42574, the Rust project released Rust 1.56.1, featuring new lints to alert developers about the presence of bidirectional-override codepoints in their source code. No builtin mitigation is present in Rust 1.0.0 to Rust 1.56.0: we recommend users of those compiler versions to either upgrade to a newer compiler, or to perform out-of-band checks for the presence of those codepoints in their codebase.
Regarding CVE-2021-42694, Rust already includes protection from homoglyphs in identifiers. Rust 1.0.0 to Rust 1.52.1 doesn’t support non-ASCII identifiers, which prevents the issue completely. Rust 1.53.0 and later versions do support non-ASCII identifiers, but include lints to alert developers about the presence of homoglyphs or similar issues.
Notified: 2021-09-27 Updated: 2021-11-09
Statement Date: October 30, 2021
CVE-2021-42574 | Unknown |
---|---|
CVE-2021-42694 | Unknown VU#999008.1 |
In a future release the LLVM project will include new checkers as part of clang-tidy to detect occurences of both CVE-2021-42574 and CVE-2021-42694. In the meantime we recommend clang users to perform out-of-band checks for the presence of these security issues in their codebases.
Notified: 2021-09-27 Updated: 2021-11-09
Statement Date: October 18, 2021
CVE-2021-42574 | Unknown |
---|---|
CVE-2021-42694 | Unknown VU#999008.1 |
We have not received a statement from the vendor.
Notified: 2021-10-26 Updated: 2021-11-09
Statement Date: November 02, 2021
CVE-2021-42574 | Unknown |
---|---|
CVE-2021-42694 | Unknown VU#999008.1 |
We have not received a statement from the vendor.
Notified: 2021-09-27 Updated: 2021-11-09 CVE-2021-42574 | Unknown |
---|---|
CVE-2021-42694 | Unknown VU#999008.1 |
We have not received a statement from the vendor.
Notified: 2021-09-27 Updated: 2021-11-09 CVE-2021-42574 | Unknown |
---|---|
CVE-2021-42694 | Unknown VU#999008.1 |
We have not received a statement from the vendor.
Notified: 2021-10-19 Updated: 2021-11-09 CVE-2021-42574 | Unknown |
---|---|
CVE-2021-42694 | Unknown VU#999008.1 |
We have not received a statement from the vendor.
Notified: 2021-09-27 Updated: 2021-11-09 CVE-2021-42574 | Unknown |
---|---|
CVE-2021-42694 | Unknown VU#999008.1 |
We have not received a statement from the vendor.
Notified: 2021-09-27 Updated: 2021-11-09 CVE-2021-42574 | Unknown |
---|---|
CVE-2021-42694 | Unknown VU#999008.1 |
We have not received a statement from the vendor.
Notified: 2021-10-26 Updated: 2021-11-09 CVE-2021-42574 | Unknown |
---|---|
CVE-2021-42694 | Unknown VU#999008.1 |
We have not received a statement from the vendor.
Notified: 2021-10-19 Updated: 2021-11-09 CVE-2021-42574 | Unknown |
---|---|
CVE-2021-42694 | Unknown VU#999008.1 |
We have not received a statement from the vendor.
Notified: 2021-10-19 Updated: 2021-11-09 CVE-2021-42574 | Unknown |
---|---|
CVE-2021-42694 | Unknown VU#999008.1 |
We have not received a statement from the vendor.
Notified: 2021-09-27 Updated: 2021-11-09 CVE-2021-42574 | Unknown |
---|---|
CVE-2021-42694 | Unknown VU#999008.1 |
We have not received a statement from the vendor.
Notified: 2021-09-27 Updated: 2021-11-09 CVE-2021-42574 | Unknown |
---|---|
CVE-2021-42694 | Unknown VU#999008.1 |
We have not received a statement from the vendor.
Notified: 2021-11-02 Updated: 2021-11-09 CVE-2021-42574 | Unknown |
---|---|
CVE-2021-42694 | Unknown VU#999008.1 |
We have not received a statement from the vendor.
View all 16 vendors __View less vendors __
CVE IDs: | CVE-2021-42574 CVE-2021-42694 |
---|---|
Date Public: | 2021-11-09 Date First Published: |
5.1 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
8.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
69.9%