The maintainers of the Rust programming language have released a security update for a high-severity vulnerability that could be abused by a malicious party to purge files and directories from a vulnerable system in an unauthorized manner.
“An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn’t otherwise access or delete,” the Rust Security Response working group (WG) said in an advisory published on January 20, 2021.
Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability. The flaw, which is tracked as CVE-2022-21658 (CVSS score: 7.3), has been credited to security researcher Hans Kratz, with the team pushing out a fix in Rust version 1.58.1 shipped last week.
Specifically, the issue stems from an improperly implemented check to prevent recursive deletion of symbolic links (aka symlinks) in a standard library function named “std::fs::remove_dir_all.” This results in a race condition, which, in turn, could be reliably exploited by an adversary by abusing their access to a privileged program to delete sensitive directories.
“Instead of telling the system not to follow symlinks, the standard library first checked whether the thing it was about to delete was a symlink, and otherwise it would proceed to recursively delete the directory,” the advisory said. “This exposed a race condition: an attacker could create a directory and replace it with a symlink between the check and the actual deletion.”
Rust, while not a widely-used programming language, has witnessed a surge in adoption in recent years for its memory-related safety guarantees. Last year, Google announced that its open-source version of the Android operating system will add support for the programming language to prevent memory safety bugs.