A new high severity vulnerability in the Rust programming language has been reported. The flaw could be exploited to purge files and directories from an exposed system without the need of authorization.
“The Rust Security Response WG was notified that the std::fs::remove_dir_all standard library function is vulnerable to a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn’t otherwise access or delete,” according to the official advisory.
The vulnerability has been assigned the CVE-2022-21658 identifier.
How Can CVE-2022-21658 Be Exploited?
The flaw could work in case an attacker could obtain unprivileged access to a vulnerable system to delete a system directory called sensitive/, but they lacked permissions to do so.
If std::fs::remove_dir_all followed symbolic links, they could find a privileged program that removes a directory they have access to (called temp/), create a symlink from temp/foo to sensitive/, and wait for the privileged program to delete foo/. The privileged program would follow the symlink from temp/foo to sensitive/ while recursively deleting, resulting in sensitive/ being deleted, the advisory said.
Note that to prevent these attacks, std::fs::remove_dir_all already has protection against recursively deleting symlinks. However, that check was implemented incorrectly in the standard library, resulting in a TOCTOU (Time-of-check Time-of-use) race condition.
Rather than telling the system not to follow symlinks, the standard library first checked whether the thing it was about to delete was a symlink. Otherwise, it would proceed to recursively delete the directory.
The described case created a race condition, where an attacker could create a directory and replace it with a symlink between the check and the actual deletion. It should be mentioned that the likelihood of the attack’s success in the first attempt is not big. But the researchers’ experiments revealed that they could perform it reliably within a couple of seconds.
What Rust Versions Are Affected?
CVE-2022-21658 affects versions of Rust 1.0.0 through Rust 1.58.0. The vendor’s plan was to release Rust 1.58.1 on January 20, which would include mitigations for this vulnerability.
It should be noted that macOS before version 10.10 and REDOX don’t have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain.
It is curious to mention that malware authors also use Rust in their malicious programming. A new ransomware-as-a-service player was detected by Recorded Future and MalwareHunterTeam on two underground forums. Known as ALPVH and BlackCat, the ransomware group is the first to use the Rust language. This was the third ransomware strain to be coded in Rust, with the other two being experimental.