{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/999008#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nAttacks that allow for unintended control of Unicode and homoglyphic characters, described by the researchers in this [report](https://www.trojansource.codes/trojan-source.pdf) leverage text encoding that may cause source code to be interpreted differently by a compiler than it appears visually to a human reviewer. Source code compilers, interpreters, and other development tools may permit Unicode control and homoglyph characters, changing the visually apparent meaning of source code.\r\n\r\n### Description\r\nInternationalized text encodings require support for both left-to-right languages and also right-to-left languages. Unicode has built-in functions to allow for encoding of characters to account for bi-directional, or Bidi ordering. Included in these functions are characters that represent non-visual functions. These characters, as well as characters from other human language sets (i.e., English vs. Cyrillic) can also introduce ambiguities into the code base if improperly used.\r\n\r\nThis type of attack could potentially be used to compromise a code base by capitalizing on a gap in visually rendered source code as a human reviewer would see and the raw code that the compiler would evaluate.\r\n\r\n### Impact\r\nThe use of  attacks that incorporate maliciously encoded source code may go undetected by human developers and by many automated coding tools. These attacks also work against many of the compilers currently in use. An attacker with the ability to influence source code could introduce undetected ambiguity into source code using this type of attack. \r\n\r\n### Solution\r\nThe simplest defense is to ban the use of text directionality control characters both in language specifications and in compilers implementing these languages.\r\n\r\nTwo CVEs were assigned to address the two types of attacks described in this report.\r\n\r\nCVE-2021-42574 was created for tracking the Bidi attack. \r\nCVE-2021-42694 was created for tracking the homoglyph attack.\r\n\r\n### Acknowledgements\r\nThanks to the reporters, Nicholas Boucher and Ross Anderson of The University of Cambridge (UK).\r\n\r\nThis document was written by Chuck Yarbrough.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"Per the node.js statement published Nov 1, 2021, 1:29:33 PM:\r\n> You may have read the announcement today about the potential for supply chain attacks using characters within source files that are not visible to human code reviewers: https://www.trojansource.codes/.\r\n\r\n> The ECMAScript specification requires support for these characters (see section 12.1 at https://tc39.es/ecma262/#sec-unicode-format-control-characters). Node.js or any ECMAScript-compliant engine must allow these characters, which have valid uses in source code.\r\n\r\n> Due diligence including code scans (for example for licenses) should already be part of your processes both for the code you write and dependencies that you use within your application. The script provided by Red Hat [at] https://access.redhat.com/sites/default/files/find_unicode_control2--2021-11-01-1136.zip is a good way to scan and identify files that you may want to review with respect to usage of the special characters identified.\r\n\r\n> For some statically compiled languages, it may make sense to incorporate a check into the compiler instead of using an external script. However, for dynamic languages such as JavaScript, there are potential issues with that approach. These include:\r\n\r\n> ** Finding out too late that there is usage of these characters. Dynamic languages may load a source file in the middle of their execution. At this point the application is already deployed and you don't necessarily want to block it from running and non-blocking warnings may not be noticed. It is more effective to scan all files that make up the application before it is run.\r\n\r\n> ** The runtime overhead of the scan will be incurred unnecessarily every time the application is run. It is better to scan as part of your development/build/release processes as it will not add any additional runtime overhead once the application is deployed.\r\n\r\n> At this time, we do not plan to provide an option to scan at runtime. We recommend that external scripts/processes be used instead","title":"CERT/CC comment on Node.js notes"},{"category":"other","text":"Regarding CVE-2021-42574, the Rust project released Rust 1.56.1, featuring new lints to alert developers about the presence of bidirectional-override codepoints in their source code. No builtin mitigation is present in Rust 1.0.0 to Rust 1.56.0: we recommend users of those compiler versions to either upgrade to a newer compiler, or to perform out-of-band checks for the presence of those codepoints in their codebase.\r\n\r\nRegarding CVE-2021-42694, Rust already includes protection from homoglyphs in identifiers. Rust 1.0.0 to Rust 1.52.1 doesn't support non-ASCII identifiers, which prevents the issue completely. Rust 1.53.0 and later versions do support non-ASCII identifiers, but include lints to alert developers about the presence of homoglyphs or similar issues.","title":"Vendor statment from Rust Security Response WG"},{"category":"other","text":"In a future release the LLVM project will include new checkers as part of clang-tidy to detect occurences of both CVE-2021-42574 and CVE-2021-42694. In the meantime we recommend clang users to perform out-of-band checks for the presence of these security issues in their codebases.","title":"Vendor statment from The LLVM Security Group"},{"category":"other","text":"Red Hat's guidance for this issue can be found at Security Bulletin RHSB-2021-007","title":"Vendor statment from Red Hat"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/999008"},{"url":"https://www.trojansource.codes/trojan-source.pdf","summary":"https://www.trojansource.codes/trojan-source.pdf"},{"url":"https://groups.google.com/g/nodejs-sec/c/_w6hoamG14E/m/MrmeX2WMBQAJ","summary":"Reference(s) from vendor \"Node.js\""},{"url":"https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html","summary":"Reference(s) from vendor \"Rust Security Response WG\""},{"url":"https://bugs.chromium.org/p/llvm/issues/detail?id=11","summary":"Reference(s) from vendor \"The LLVM Security Group\""},{"url":"https://confluence.atlassian.com/security/cve-2021-42574-unrendered-unicode-bidirectional-override-characters-in-cloud-sites-1086420599.html","summary":"Reference(s) from vendor \"Atlassian\""},{"url":"https://confluence.atlassian.com/security/multiple-products-security-advisory-unrendered-unicode-bidirectional-override-characters-cve-2021-42574-1086419475.html","summary":"Reference(s) from vendor \"Atlassian\""},{"url":"https://access.redhat.com/security/vulnerabilities/RHSB-2021-007","summary":"Reference(s) from vendor \"Red Hat\""}],"title":"Compilers permit Unicode control and homoglyph characters","tracking":{"current_release_date":"2024-12-10T02:09:19+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#999008","initial_release_date":"2021-11-09 16:38:24.935677+00:00","revision_history":[{"date":"2024-12-10T02:09:19+00:00","number":"1.20241210020919.3","summary":"Released on 2024-12-10T02:09:19+00:00"}],"status":"final","version":"1.20241210020919.3"}},"vulnerabilities":[{"title":"Unicode's bidirectional ('Bidi') override characters can make code appear different to a human reviewer than to a compiler.","notes":[{"category":"summary","text":"Unicode's bidirectional ('Bidi') override characters can make code appear different to a human reviewer than to a compiler. Although compilers typically raise alarms for control characters directly in code, they can be embedded in either strings or comments and used to manipulate the way a line of code is represented to a human reviewer. Similarly, homoglyphs can be used to define adversarial functions that can be invoked without any visual effects in source code.\r\n\r\nThe net effect is that attackers with direct or indirect access to source code can introduce hidden vulnerabilities at the source-code encoding level that cannot be seen directly by developers.\r\n\r\nThis novel attack vector poses an immediate threat to a wide range of software. We present working examples of attacks and simple defense techniques for languages, text editors, code repositories, build pipelines, and compilers."}],"ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#999008"}],"product_status":{"known_affected":["CSAFPID-680c8bd0-39da-11f1-8422-122e2785dc9f","CSAFPID-680cfce6-39da-11f1-8422-122e2785dc9f","CSAFPID-680d3e04-39da-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-680c1e98-39da-11f1-8422-122e2785dc9f","CSAFPID-680cc1ae-39da-11f1-8422-122e2785dc9f"]}},{"title":"Created to track the bidi, or bidirectional, attack vector.","notes":[{"category":"summary","text":"Created to track the bidi, or bidirectional, attack vector."}],"cve":"CVE-2021-42574","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#999008"}],"product_status":{"known_affected":["CSAFPID-680dbc58-39da-11f1-8422-122e2785dc9f","CSAFPID-680deade-39da-11f1-8422-122e2785dc9f"]}},{"title":"Created to track the homoglyph attack vector.","notes":[{"category":"summary","text":"Created to track the homoglyph attack vector."}],"cve":"CVE-2021-42694","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#999008"}],"product_status":{"known_affected":["CSAFPID-680eab5e-39da-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-680ee7ea-39da-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Veracode","product":{"name":"Veracode Products","product_id":"CSAFPID-680c1e98-39da-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-680c58f4-39da-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Atlassian","product":{"name":"Atlassian Products","product_id":"CSAFPID-680c8bd0-39da-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Meta","product":{"name":"Meta Products","product_id":"CSAFPID-680cc1ae-39da-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Rust Security Response WG","product":{"name":"Rust Security Response WG Products","product_id":"CSAFPID-680cfce6-39da-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"The LLVM Security Group","product":{"name":"The LLVM Security Group Products","product_id":"CSAFPID-680d3e04-39da-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-680d920a-39da-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Atlassian","product":{"name":"Atlassian Products","product_id":"CSAFPID-680dbc58-39da-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Rust Security Response WG","product":{"name":"Rust Security Response WG Products","product_id":"CSAFPID-680deade-39da-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-680e71fc-39da-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Atlassian","product":{"name":"Atlassian Products","product_id":"CSAFPID-680eab5e-39da-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Rust Security Response WG","product":{"name":"Rust Security Response WG Products","product_id":"CSAFPID-680ee7ea-39da-11f1-8422-122e2785dc9f"}}]}}