Squirrel Engine Bug Could Let Attackers Hack Games and Cloud Services

Technology

Researchers have disclosed an out-of-bounds read vulnerability in the Squirrel programming language that can be abused by attackers to break out of the sandbox restrictions and execute arbitrary code within a SquirrelVM, thus giving a malicious actor complete access to the underlying machine.

Tracked as CVE-2021-41556, the issue occurs when a game library referred to as Squirrel Engine is used to execute untrusted code and affects stable release branches 3.x and 2.x of Squirrel. The vulnerability was responsibly disclosed on August 10, 2021.

Automatic GitHub Backups

Squirrel is an open-source, object-oriented programming language that’s used for scripting video games and as well as in IoT devices and distributed transaction processing platforms such as Enduro/X.

“In a real-world scenario, an attacker could embed a malicious Squirrel script into a community map and distribute it via the trusted Steam Workshop,” researchers Simon Scannell and Niklas Breitfeld said in a report shared with The Hacker News. “When a server owner downloads and installs this malicious map onto his server, the Squirrel script is executed, escapes its VM, and takes control of the server machine.”

The identified security flaw concerns an “out-of-bounds access via index confusion” when defining Squirrel classes that could be exploited to hijack the control flow of a program and gain full control of the Squirrel VM.

Prevent Ransomware Attacks

While the issue has been addressed as part of a code commit pushed on September 16, it’s worth noting that the changes have not been included in a new stable release, with the last official version (v3.1) released on March 27, 2016. Maintainers who depend on Squirrel in their projects are highly recommended to apply the latest fixes by rebuilding it from source code in order to protect against any attacks.

Products You May Like

Articles You May Like

Chainsaw Man: Explaining Power And Aki’s Unexpected Return
Red Magic 10 Pro+, Red Magic 10 Pro With Snapdragon 8 Elite ‘Extreme Edition’ Chip Launched: Price, Specifications
‘Red One’ Press Conference with Dwayne Johnson and More
Chloe Fineman Says Elon Musk SNL Host Who Made Her ‘Burst Into Tears’
Husband of Gossip Girl actor Chanel Banks confirms her safety – NBC Los Angeles