Rust vulnerability enables attackers to delete files and directories

Rust vulnerability enables attackers to delete files and directories
Ryan is a senior editor at TechForge Media with over a decade of experience covering the latest technology and interviewing leading industry figures. He can often be sighted at tech conferences with a strong coffee in one hand and a laptop in the other. If it's geeky, he’s probably into it. Find him on Twitter: @Gadget_Ry

Maintainers of the Rust programming language have warned of a critical vulnerability that enables attackers to delete files and directories.

In a security advisory, the Rust Security Response Working Group wrote:

“The Rust Security Response WG was notified that the std::fs::remove_dir_all standard library function is vulnerable to a race condition enabling symlink following (CWE-363).

An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn’t otherwise access or delete.”

Rust 1.0.0 through Rust 1.58.0 is affected by the vulnerability. Rust 1.58.1 has been released which includes mitigations for the issue.

The maintainers warn macOS versions prior to 10.10 (Yosemite) and REDOX “don’t have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain.”

Growing popularity

Rust hasn’t yet made it into the most widely-used programming languages but has surged in popularity in recent years.

In the 2021 Stack Overflow Survey, Rust retained its crown as the most loved language for the sixth consecutive year. However, the language is yet to crack the top 10 for usage—coming in at 16th place, just behind Kotlin and one spot ahead of Ruby.

Last year, Rust got its own independent foundation to help promote and drive the use of Rust “as an enterprise production-ready technology”. Five major companies are lending their support to the Rust Foundation: Microsoft, Huawei, Google, AWS, and, of course, Mozilla.

Just a couple of months after joining the Rust Foundation, Google announced that it’s adding support for the language to Android in a bid to prevent memory safety bugs.

“The Android OS uses Java extensively, effectively protecting large portions of the Android platform from memory bugs. Unfortunately, for the lower layers of the OS, Java and Kotlin are not an option,” explained Google.

“Rust provides memory safety guarantees by using a combination of compile-time checks to enforce object lifetime/ownership and runtime checks to ensure that memory accesses are valid.”

(Photo by Thomas Kinto on Unsplash)

Looking to revamp your digital transformation strategy? Learn more about Digital Transformation Week taking place on 11-12 May 2022 and discover key strategies for making your digital efforts a success.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published.