gsd-2021-42574
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
** DISPUTED ** An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.
Aliases
Aliases



{
  "GSD": {
    "alias": "CVE-2021-42574",
    "description": "An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers.",
    "id": "GSD-2021-42574",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-42574.html",
      "https://access.redhat.com/errata/RHSA-2021:4743",
      "https://access.redhat.com/errata/RHSA-2021:4730",
      "https://access.redhat.com/errata/RHSA-2021:4729",
      "https://access.redhat.com/errata/RHSA-2021:4724",
      "https://access.redhat.com/errata/RHSA-2021:4723",
      "https://access.redhat.com/errata/RHSA-2021:4694",
      "https://access.redhat.com/errata/RHSA-2021:4669",
      "https://access.redhat.com/errata/RHSA-2021:4649",
      "https://access.redhat.com/errata/RHSA-2021:4602",
      "https://access.redhat.com/errata/RHSA-2021:4601",
      "https://access.redhat.com/errata/RHSA-2021:4600",
      "https://access.redhat.com/errata/RHSA-2021:4599",
      "https://access.redhat.com/errata/RHSA-2021:4598",
      "https://access.redhat.com/errata/RHSA-2021:4596",
      "https://access.redhat.com/errata/RHSA-2021:4595",
      "https://access.redhat.com/errata/RHSA-2021:4594",
      "https://access.redhat.com/errata/RHSA-2021:4593",
      "https://access.redhat.com/errata/RHSA-2021:4592",
      "https://access.redhat.com/errata/RHSA-2021:4591",
      "https://access.redhat.com/errata/RHSA-2021:4590",
      "https://access.redhat.com/errata/RHSA-2021:4589",
      "https://access.redhat.com/errata/RHSA-2021:4588",
      "https://access.redhat.com/errata/RHSA-2021:4587",
      "https://access.redhat.com/errata/RHSA-2021:4586",
      "https://access.redhat.com/errata/RHSA-2021:4585",
      "https://access.redhat.com/errata/RHSA-2021:4039",
      "https://access.redhat.com/errata/RHSA-2021:4038",
      "https://access.redhat.com/errata/RHSA-2021:4037",
      "https://access.redhat.com/errata/RHSA-2021:4036",
      "https://access.redhat.com/errata/RHSA-2021:4035",
      "https://access.redhat.com/errata/RHSA-2021:4034",
      "https://access.redhat.com/errata/RHSA-2021:4033",
      "https://advisories.mageia.org/CVE-2021-42574.html",
      "https://security.archlinux.org/CVE-2021-42574",
      "https://linux.oracle.com/cve/CVE-2021-42574.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-42574"
      ],
      "details": "** DISPUTED ** An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.",
      "id": "GSD-2021-42574",
      "modified": "2023-12-13T01:23:06.168038Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2021-42574",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** DISPUTED ** An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://www.unicode.org/versions/Unicode14.0.0/",
            "refsource": "MISC",
            "url": "http://www.unicode.org/versions/Unicode14.0.0/"
          },
          {
            "name": "https://trojansource.codes",
            "refsource": "MISC",
            "url": "https://trojansource.codes"
          },
          {
            "name": "[oss-security] 20211101 CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2021/11/01/1"
          },
          {
            "name": "[oss-security] 20211101 Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2021/11/01/4"
          },
          {
            "name": "[oss-security] 20211101 Trojan Source Attacks",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2021/11/01/6"
          },
          {
            "name": "[oss-security] 20211102 Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2021/11/01/5"
          },
          {
            "name": "[oss-security] 20211102 Re: Trojan Source Attacks",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2021/11/02/10"
          },
          {
            "name": "FEDORA-2021-0578e23912",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/"
          },
          {
            "name": "FEDORA-2021-7ad3a01f6a",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/"
          },
          {
            "name": "VU#999008",
            "refsource": "CERT-VN",
            "url": "https://www.kb.cert.org/vuls/id/999008"
          },
          {
            "name": "FEDORA-2021-443139f67c",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/"
          },
          {
            "name": "https://www.scyon.nl/post/trojans-in-your-source-code",
            "refsource": "MISC",
            "url": "https://www.scyon.nl/post/trojans-in-your-source-code"
          },
          {
            "name": "https://www.unicode.org/reports/tr36/",
            "refsource": "MISC",
            "url": "https://www.unicode.org/reports/tr36/"
          },
          {
            "name": "https://www.unicode.org/reports/tr39/",
            "refsource": "MISC",
            "url": "https://www.unicode.org/reports/tr39/"
          },
          {
            "name": "https://www.unicode.org/reports/tr31/",
            "refsource": "MISC",
            "url": "https://www.unicode.org/reports/tr31/"
          },
          {
            "name": "https://www.unicode.org/reports/tr9/tr9-44.html#HL4",
            "refsource": "MISC",
            "url": "https://www.unicode.org/reports/tr9/tr9-44.html#HL4"
          },
          {
            "name": "https://www.starwindsoftware.com/security/sw-20220804-0002/",
            "refsource": "MISC",
            "url": "https://www.starwindsoftware.com/security/sw-20220804-0002/"
          },
          {
            "name": "GLSA-202210-09",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202210-09"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:unicode:unicode:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "FAB64729-AF3D-46C0-B3B9-1588B46C524A",
                    "versionEndExcluding": "14.0.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                    "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                    "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:starwindsoftware:starwind_virtual_san:v8r13:14398:*:*:*:*:*:*",
                    "matchCriteriaId": "DE49F316-C502-4D7A-AA70-D7745AEDAA93",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm."
          },
          {
            "lang": "es",
            "value": "** EN DISPUTA** Se ha detectado un problema en el algoritmo bidireccional de la especificaci\u00f3n Unicode hasta la versi\u00f3n 14.0. Permite la reordenaci\u00f3n visual de los caracteres a trav\u00e9s de secuencias de control, lo que puede ser utilizado para crear c\u00f3digo fuente que se traduce en una l\u00f3gica diferente a la ordenaci\u00f3n l\u00f3gica de los tokens ingeridos por los compiladores e int\u00e9rpretes. Los adversarios pueden aprovechar esto para codificar el c\u00f3digo fuente de los compiladores que aceptan Unicode, de manera que las vulnerabilidades objetivo se introduzcan de forma invisible para los revisores humanos. NOTA: el Consorcio Unicode ofrece el siguiente enfoque alternativo para presentar esta preocupaci\u00f3n. Se observa un problema en la naturaleza del texto internacional que puede afectar a las aplicaciones que implementan la compatibilidad con el est\u00e1ndar Unicode y el algoritmo bidireccional Unicode (todas las versiones). Debido al comportamiento de la visualizaci\u00f3n del texto cuando \u00e9ste incluye caracteres de izquierda a derecha y de derecha a izquierda, el orden visual de los tokens puede ser diferente de su orden l\u00f3gico. Adem\u00e1s, los caracteres de control necesarios para cumplir los requisitos del texto bidireccional pueden ofuscar a\u00fan m\u00e1s el orden l\u00f3gico de las fichas. A menos que se mitigue, un adversario podr\u00eda elaborar el c\u00f3digo fuente de tal manera que el orden de los tokens percibido por los revisores humanos no coincida con el que ser\u00e1 procesado por un compilador/interpretador/etc. El Consorcio Unicode ha documentado esta clase de vulnerabilidad en su documento, Informe T\u00e9cnico de Unicode #36, Consideraciones de Seguridad de Unicode. El Consorcio Unicode tambi\u00e9n proporciona orientaci\u00f3n sobre las mitigaciones para esta clase de problemas en la Norma T\u00e9cnica de Unicode #39, Mecanismos de Seguridad de Unicode, y en el Anexo de la Norma de Unicode #31, Identificador de Unicode y Sintaxis de Patrones. Adem\u00e1s, la especificaci\u00f3n BIDI permite a las aplicaciones adaptar la implementaci\u00f3n de manera que pueda mitigar la reordenaci\u00f3n visual enga\u00f1osa en el texto del programa; v\u00e9ase HL4 en el Anexo #9 del Est\u00e1ndar Unicode, Algoritmo Bidireccional Unicode."
          }
        ],
        "id": "CVE-2021-42574",
        "lastModified": "2024-04-11T01:13:06.963",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "HIGH",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "availabilityImpact": "PARTIAL",
                "baseScore": 5.1,
                "confidentialityImpact": "PARTIAL",
                "integrityImpact": "PARTIAL",
                "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              },
              "exploitabilityScore": 4.9,
              "impactScore": 6.4,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": true
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.6,
              "impactScore": 6.0,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2021-11-01T04:15:07.970",
        "references": [
          {
            "source": "cve@mitre.org",
            "tags": [
              "Exploit",
              "Mailing List",
              "Mitigation",
              "Third Party Advisory"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/01/1"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Exploit",
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/01/4"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/01/5"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/01/6"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Mailing List"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/02/10"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Release Notes",
              "Vendor Advisory"
            ],
            "url": "http://www.unicode.org/versions/Unicode14.0.0/"
          },
          {
            "source": "cve@mitre.org",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/"
          },
          {
            "source": "cve@mitre.org",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/"
          },
          {
            "source": "cve@mitre.org",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://security.gentoo.org/glsa/202210-09"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Exploit",
              "Technical Description",
              "Third Party Advisory"
            ],
            "url": "https://trojansource.codes"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Third Party Advisory",
              "US Government Resource"
            ],
            "url": "https://www.kb.cert.org/vuls/id/999008"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Exploit",
              "Mitigation",
              "Third Party Advisory"
            ],
            "url": "https://www.scyon.nl/post/trojans-in-your-source-code"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://www.starwindsoftware.com/security/sw-20220804-0002/"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Technical Description",
              "Vendor Advisory"
            ],
            "url": "https://www.unicode.org/reports/tr31/"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Technical Description",
              "Vendor Advisory"
            ],
            "url": "https://www.unicode.org/reports/tr36/"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Technical Description",
              "Vendor Advisory"
            ],
            "url": "https://www.unicode.org/reports/tr39/"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Technical Description",
              "Vendor Advisory"
            ],
            "url": "https://www.unicode.org/reports/tr9/tr9-44.html#HL4"
          }
        ],
        "sourceIdentifier": "cve@mitre.org",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-94"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.