Connect with us

WordPress News

Squirrel Engine Bug Could Let Attackers Hack Games and Cloud Services

Published

on


squirrel game programming language

Researchers have disclosed an out-of-bounds read vulnerability in the Squirrel programming language that can be abused by attackers to break out of the sandbox restrictions and execute arbitrary code within a SquirrelVM, thus giving a malicious actor complete access to the underlying machine.

Tracked as CVE-2021-41556, the issue occurs when a game library referred to as Squirrel Engine is used to execute untrusted code and affects stable release branches 3.x and 2.x of Squirrel. The vulnerability was responsibly disclosed on August 10, 2021.

Automatic GitHub Backups

Squirrel is an open-source, object-oriented programming language that’s used for scripting video games and as well as in IoT devices and distributed transaction processing platforms such as Enduro/X.

“In a real-world scenario, an attacker could embed a malicious Squirrel script into a community map and distribute it via the trusted Steam Workshop,” researchers Simon Scannell and Niklas Breitfeld said in a report shared with The Hacker News. “When a server owner downloads and installs this malicious map onto his server, the Squirrel script is executed, escapes its VM, and takes control of the server machine.”

The identified security flaw concerns an “out-of-bounds access via index confusion” when defining Squirrel classes that could be exploited to hijack the control flow of a program and gain full control of the Squirrel VM.

Prevent Data Breaches

While the issue has been addressed as part of a code commit pushed on September 16, it’s worth noting that the changes have not been included in a new stable release, with the last official version (v3.1) released on March 27, 2016. Maintainers who depend on Squirrel in their projects are highly recommended to apply the latest fixes by rebuilding it from source code in order to protect against any attacks.





Source link

Continue Reading
Click to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.