{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/123335#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"## Overview\r\nVarious programming languages lack proper validation mechanisms for commands and in some cases also fail to escape arguments correctly when invoking commands within a Microsoft Windows environment. The command injection vulnerability in these programming languages, when running on Windows, allows attackers to execute arbitrary code disguised as arguments to the command. This vulnerability may also affect the application that executes commands without specifying the file extension.\r\n \r\n## Description\r\nProgramming languages typically provide a way to execute commands (for e.g., os/exec in Golang) on the operating system to facilitate interaction with the OS. Typically, the programming languages also allow for passing `arguments` which are considered data (or variables) for the command to be executed. The arguments themselves are expected to be not executable and the command is expected to be executed along with properly escaped arguments, as inputs to the command. Microsoft Windows typically processes these commands using a `CreateProcess` function that spawns a `cmd.exe` for execution of the command. Microsoft Windows has documented some of the concerns related to how these should be properly escaped before execution as early as 2011. See [https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way](https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way). \r\n \r\nA vulnerability was discovered in the way multiple programming languages fail to properly escape the arguments in a Microsoft Windows command execution environment.  This can lead confusion at execution time where an expected argument for a command could be executed as another command itself. An attacker with knowledge of the programming language can carefully craft inputs that will be processed by the compiled program as commands. This unexpected behavior is due to lack of neutralization of arguments by the programming language (or its command execution module) that initiates a Windows execution environment.  The researcher has found multiple programming languages, and their command execution modules fail to perform such sanitization and/or validation before processing these in their runtime environment. \r\n \r\n## Impact\r\nSuccessful exploitation of this vulnerability permits an attacker to execute arbitrary commands. The complete impact of this vulnerability depends on the implementation that uses a vulnerable programming language or such a vulnerable module.\r\n \r\n## Solution\r\n#### Updating the runtime environment\r\nPlease visit the Vendor Information section so see if your programming language Vendor has released the patch for this vulnerability and update the runtime environment that can prevent abuse of this vulnerability. \r\n \r\n#### Update the programs and escape manually\r\nIf the runtime of your application doesn't provide a patch for this vulnerability and you want to execute batch files with user-controlled arguments, you will need to perform the escaping and neutralization of the data to prevent any intended command execution. \r\n\r\nSecurity researcher has more detailed information in the [blog post](https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/) which provides details on specific languages that were identified and their Status. \r\n\r\n## Acknowledgements\r\nThanks to the reporter, [RyotaK](https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/ ).This document was written by Timur Snoke.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"Added references.","title":"CERT/CC comment on Node.js notes"},{"category":"other","text":"Rust is affected by this, and we issued CVE-2024-24576 to track the issue. Rust 1.77.2 fixes the vulnerability, and we recommend affected users to recompile their programs with the new compiler version.","title":"Vendor statment from Rust Security Response WG"},{"category":"other","text":"yt-dlp is affected and CVE-2024-22423 was issued to track the vulnerability","title":"Vendor statment from yt-dlp"},{"category":"other","text":"The Haskell *process* library is affected.  We assigned HSEC-2024-0003 for this issue.  A fix was released in process-1.6.19.0.","title":"Vendor statment from Haskell Programming Language"},{"category":"other","text":"This issue was identified by Microsoft in 2011 and continues to be a problem today. Thanks to a security researcher, the vulnerability is receiving greater attention and additional mitigation are being developed.","title":"CERT/CC comment on Microsoft notes"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/123335"},{"url":"https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way","summary":"https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way"},{"url":"https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7","summary":"https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7"},{"url":"https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh","summary":"https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh"},{"url":"https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p","summary":"https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p"},{"url":"https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2","summary":"https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2"},{"url":"https://github.com/haskell/security-advisories/blob/main/advisories/hackage/process/HSEC-2024-0003.md","summary":"https://github.com/haskell/security-advisories/blob/main/advisories/hackage/process/HSEC-2024-0003.md"},{"url":"https://osv.dev/vulnerability/HSEC-2024-0003","summary":"https://osv.dev/vulnerability/HSEC-2024-0003"},{"url":"https://nodejs.org/en/blog/release/v18.20.2","summary":"Reference(s) from vendor \"Node.js\""},{"url":"https://nodejs.org/en/blog/release/v20.12.2","summary":"Reference(s) from vendor \"Node.js\""},{"url":"https://nodejs.org/en/blog/release/v21.7.3","summary":"Reference(s) from vendor \"Node.js\""},{"url":"https://github.com/rust-lang/rust/security/advisories/GHSA-q455-m56c-85mh","summary":"Reference(s) from vendor \"Rust Security Response WG\""},{"url":"https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html","summary":"Reference(s) from vendor \"Rust Security Response WG\""},{"url":"https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p","summary":"Reference(s) from vendor \"yt-dlp\""},{"url":"https://github.com/haskell/security-advisories/blob/main/advisories/hackage/process/HSEC-2024-0003.md","summary":"Reference(s) from vendor \"Haskell Programming Language\""}],"title":"Multiple programming languages fail to escape arguments properly in Microsoft Windows","tracking":{"current_release_date":"2024-05-13T13:18:55+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#123335","initial_release_date":"2024-04-10 15:13:48.515157+00:00","revision_history":[{"date":"2024-05-13T13:18:55+00:00","number":"1.20240513131855.8","summary":"Released on 2024-05-13T13:18:55+00:00"}],"status":"final","version":"1.20240513131855.8"}},"vulnerabilities":[{"title":"PHP CVE for this issue.","notes":[{"category":"summary","text":"PHP CVE for this issue"}],"cve":"CVE-2024-1874","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#123335"}],"product_status":{"known_not_affected":["CSAFPID-d88ccc0e-38b7-11f1-8422-122e2785dc9f","CSAFPID-d88d06e2-38b7-11f1-8422-122e2785dc9f","CSAFPID-d88d33ce-38b7-11f1-8422-122e2785dc9f","CSAFPID-d88d947c-38b7-11f1-8422-122e2785dc9f","CSAFPID-d88dc4ce-38b7-11f1-8422-122e2785dc9f","CSAFPID-d88e115e-38b7-11f1-8422-122e2785dc9f"]}},{"title":"Rust CVE for this issue.","notes":[{"category":"summary","text":"Rust CVE for this issue"}],"cve":"CVE-2024-24576","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#123335"}],"product_status":{"known_affected":["CSAFPID-d88f6b1c-38b7-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-d88e810c-38b7-11f1-8422-122e2785dc9f","CSAFPID-d88eaf7e-38b7-11f1-8422-122e2785dc9f","CSAFPID-d88efd30-38b7-11f1-8422-122e2785dc9f","CSAFPID-d88f9a10-38b7-11f1-8422-122e2785dc9f","CSAFPID-d88fd3c2-38b7-11f1-8422-122e2785dc9f"]}},{"title":"yt-dlp CVE for this issue.","notes":[{"category":"summary","text":"yt-dlp CVE for this issue"}],"cve":"CVE-2024-22423","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#123335"}],"product_status":{"known_affected":["CSAFPID-d8927802-38b7-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-d8909b04-38b7-11f1-8422-122e2785dc9f","CSAFPID-d890dcf4-38b7-11f1-8422-122e2785dc9f","CSAFPID-d89139f6-38b7-11f1-8422-122e2785dc9f","CSAFPID-d891efb8-38b7-11f1-8422-122e2785dc9f","CSAFPID-d8923af4-38b7-11f1-8422-122e2785dc9f"]}},{"title":"A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.","notes":[{"category":"summary","text":"A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied."}],"cve":"CVE-2024-3566","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#123335"}],"references":[{"url":"https://github.com/haskell/security-advisories/blob/main/advisories/hackage/process/HSEC-2024-0003.md","summary":"https://github.com/haskell/security-advisories/blob/main/advisories/hackage/process/HSEC-2024-0003.md","category":"external"}],"product_status":{"known_affected":["CSAFPID-d89320fe-38b7-11f1-8422-122e2785dc9f","CSAFPID-d8936406-38b7-11f1-8422-122e2785dc9f","CSAFPID-d893c1c6-38b7-11f1-8422-122e2785dc9f","CSAFPID-d894233c-38b7-11f1-8422-122e2785dc9f","CSAFPID-d894fa82-38b7-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-d892f52a-38b7-11f1-8422-122e2785dc9f","CSAFPID-d8938e90-38b7-11f1-8422-122e2785dc9f","CSAFPID-d893f9a2-38b7-11f1-8422-122e2785dc9f","CSAFPID-d894669e-38b7-11f1-8422-122e2785dc9f","CSAFPID-d894b392-38b7-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"PostgreSQL","product":{"name":"PostgreSQL Products","product_id":"CSAFPID-d88ccc0e-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"R Programing Language","product":{"name":"R Programing Language Products","product_id":"CSAFPID-d88d06e2-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-d88d33ce-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Haskell Programming Language","product":{"name":"Haskell Programming Language Products","product_id":"CSAFPID-d88d63f8-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Rust Security Response WG","product":{"name":"Rust Security Response WG Products","product_id":"CSAFPID-d88d947c-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-d88dc4ce-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"yt-dlp","product":{"name":"yt-dlp Products","product_id":"CSAFPID-d88e115e-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"PostgreSQL","product":{"name":"PostgreSQL Products","product_id":"CSAFPID-d88e810c-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"R Programing Language","product":{"name":"R Programing Language Products","product_id":"CSAFPID-d88eaf7e-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-d88efd30-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Haskell Programming Language","product":{"name":"Haskell Programming Language Products","product_id":"CSAFPID-d88f43d0-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Rust Security Response WG","product":{"name":"Rust Security Response WG Products","product_id":"CSAFPID-d88f6b1c-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-d88f9a10-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"yt-dlp","product":{"name":"yt-dlp Products","product_id":"CSAFPID-d88fd3c2-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Erlang Programming Language","product":{"name":"Erlang Programming Language Products","product_id":"CSAFPID-d89022dc-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"PostgreSQL","product":{"name":"PostgreSQL Products","product_id":"CSAFPID-d8909b04-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"R Programing Language","product":{"name":"R Programing Language Products","product_id":"CSAFPID-d890dcf4-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-d89139f6-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Haskell Programming Language","product":{"name":"Haskell Programming Language Products","product_id":"CSAFPID-d891b1d8-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Rust Security Response WG","product":{"name":"Rust Security Response WG Products","product_id":"CSAFPID-d891efb8-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-d8923af4-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"yt-dlp","product":{"name":"yt-dlp Products","product_id":"CSAFPID-d8927802-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"R Programing Language","product":{"name":"R Programing Language Products","product_id":"CSAFPID-d892f52a-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Haskell Programming Language","product":{"name":"Haskell Programming Language Products","product_id":"CSAFPID-d89320fe-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Node.js","product":{"name":"Node.js Products","product_id":"CSAFPID-d8936406-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-d8938e90-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"The PHP Group","product":{"name":"The PHP Group Products","product_id":"CSAFPID-d893c1c6-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"PostgreSQL","product":{"name":"PostgreSQL Products","product_id":"CSAFPID-d893f9a2-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Rust Security Response WG","product":{"name":"Rust Security Response WG Products","product_id":"CSAFPID-d894233c-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-d894669e-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Go Programming Language","product":{"name":"Go Programming Language Products","product_id":"CSAFPID-d894b392-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"yt-dlp","product":{"name":"yt-dlp Products","product_id":"CSAFPID-d894fa82-38b7-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Erlang Programming Language","product":{"name":"Erlang Programming Language Products","product_id":"CSAFPID-d8952cdc-38b7-11f1-8422-122e2785dc9f"}}]}}