CERT/CC Vulnerability Note VU#999008

Overview

Attacks that allow for unintended control of Unicode and homoglyphic characters, described by the researchers in this report leverage text encoding that may cause source code to be interpreted differently by a compiler than it appears visually to a human reviewer. Source code compilers, interpreters, and other development tools may permit Unicode control and homoglyph characters, changing the visually apparent meaning of source code.

Description

Internationalized text encodings require support for both left-to-right languages and also right-to-left languages. Unicode has built-in functions to allow for encoding of characters to account for bi-directional, or Bidi ordering. Included in these functions are characters that represent non-visual functions. These characters, as well as characters from other human language sets (i.e., English vs. Cyrillic) can also introduce ambiguities into the code base if improperly used.

This type of attack could potentially be used to compromise a code base by capitalizing on a gap in visually rendered source code as a human reviewer would see and the raw code that the compiler would evaluate.

Impact

The use of attacks that incorporate maliciously encoded source code may go undetected by human developers and by many automated coding tools. These attacks also work against many of the compilers currently in use. An attacker with the ability to influence source code could introduce undetected ambiguity into source code using this type of attack.

Solution

The simplest defense is to ban the use of text directionality control characters both in language specifications and in compilers implementing these languages.

Two CVEs were assigned to address the two types of attacks described in this report.

CVE-2021-42574 was created for tracking the Bidi attack. CVE-2021-42694 was created for tracking the homoglyph attack.

Acknowledgements

Thanks to the reporters, Nicholas Boucher and Ross Anderson of The University of Cambridge (UK).

This document was written by Chuck Yarbrough.

Vendor Information

999008

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Atlassian Affected

Rust Security Response WG Affected

The LLVM Security Group Affected

Meta Not Affected

Veracode Not Affected

Node.js Unknown

Notified: 2021-10-19 Updated: 2024-12-10

CVE-2021-42574

Unknown

CVE-2021-42694

Unknown

VU#999008.1

Unknown

Vendor Statement

We have not received a statement from the vendor.

References

https://groups.google.com/g/nodejs-sec/c/_w6hoamG14E/m/MrmeX2WMBQAJ

CERT Addendum

Per the node.js statement published Nov 1, 2021, 1:29:33 PM:

You may have read the announcement today about the potential for supply chain attacks using characters within source files that are not visible to human code reviewers: https://www.trojansource.codes/.

The ECMAScript specification requires support for these characters (see section 12.1 at https://tc39.es/ecma262/#sec-unicode-format-control-characters). Node.js or any ECMAScript-compliant engine must allow these characters, which have valid uses in source code.

Due diligence including code scans (for example for licenses) should already be part of your processes both for the code you write and dependencies that you use within your application. The script provided by Red Hat [at] https://access.redhat.com/sites/default/files/find_unicode_control2--2021-11-01-1136.zip is a good way to scan and identify files that you may want to review with respect to usage of the special characters identified.

For some statically compiled languages, it may make sense to incorporate a check into the compiler instead of using an external script. However, for dynamic languages such as JavaScript, there are potential issues with that approach. These include:

** Finding out too late that there is usage of these characters. Dynamic languages may load a source file in the middle of their execution. At this point the application is already deployed and you don't necessarily want to block it from running and non-blocking warnings may not be noticed. It is more effective to scan all files that make up the application before it is run.

** The runtime overhead of the scan will be incurred unnecessarily every time the application is run. It is better to scan as part of your development/build/release processes as it will not add any additional runtime overhead once the application is deployed.

At this time, we do not plan to provide an option to scan at runtime. We recommend that external scripts/processes be used instead

Red Hat Unknown

Amazon Unknown

Apple Unknown

GitLab Inc. Unknown

GNU Compiler Collection Unknown

Google Unknown

Micro Focus Unknown

Microsoft Unknown

Oracle Corporation Unknown

Snyk Unknown

View all 16 vendors View less vendors

References

https://www.trojansource.codes/trojan-source.pdf

Other Information

CVE IDs:	CVE-2021-42574 CVE-2021-42694
API URL:	VINCE JSON \| CSAF
Date Public:	2021-11-09
Date First Published:	2021-11-09
Date Last Updated:	2024-12-10 02:09 UTC
Document Revision:	3

Software Engineering Institute

CERT Coordination Center

Compilers permit Unicode control and homoglyph characters

Vulnerability Note VU#999008

Overview

Description

Impact

Solution

Acknowledgements

Vendor Information

Atlassian Affected

Rust Security Response WG Affected

The LLVM Security Group Affected

Meta Not Affected

Veracode Not Affected

Node.js Unknown

Red Hat Unknown

Amazon Unknown

Apple Unknown

GitLab Inc. Unknown

GNU Compiler Collection Unknown

Google Unknown

Micro Focus Unknown

Microsoft Unknown

Oracle Corporation Unknown

Snyk Unknown

References

Other Information

Contact CERT/CC