Squirrel Engine Bug Might Let Attackers Hack Video games and Cloud Companies

Researchers have disclosed an out-of-bounds learn vulnerability within the Squirrel programming language that may be abused by attackers to interrupt out of the sandbox restrictions and execute arbitrary code inside a SquirrelVM, thus giving a malicious actor full entry to the underlying machine.

Tracked as CVE-2021-41556, the difficulty happens when a sport library known as Squirrel Engine is used to execute untrusted code and impacts steady launch branches 3.x and a pair of.x of Squirrel. The vulnerability was responsibly disclosed on August 10, 2021.

Automatic GitHub Backups

Squirrel is an open-source, object-oriented programming language that is used for scripting video video games and in addition to in IoT gadgets and distributed transaction processing platforms corresponding to Enduro/X.

“In a real-world state of affairs, an attacker might embed a malicious Squirrel script right into a neighborhood map and distribute it by way of the trusted Steam Workshop,” researchers Simon Scannell and Niklas Breitfeld mentioned in a report shared with The Hacker Information. “When a server proprietor downloads and installs this malicious map onto his server, the Squirrel script is executed, escapes its VM, and takes management of the server machine.”

The recognized safety flaw issues an “out-of-bounds entry by way of index confusion” when defining Squirrel lessons that may very well be exploited to hijack the management circulation of a program and achieve full management of the Squirrel VM.

Enterprise Password Management

Whereas the difficulty has been addressed as a part of a code commit pushed on September 16, it is value noting that the adjustments haven’t been included in a brand new steady launch, with the final official model (v3.1) launched on March 27, 2016. Maintainers who depend upon Squirrel of their tasks are extremely really helpful to use the most recent fixes by rebuilding it from supply code with the intention to shield in opposition to any assaults.

Leave A Reply

Your email address will not be published.