Researchers have disclosed an out-of-bounds read vulnerability in the Squirrel programming language that can be abused by attackers to break out of the sandbox restrictions and execute arbitrary code within a SquirrelVM, thus giving a malicious actor complete access to the underlying machine.
Tracked as CVE-2021-41556, the issue occurs when a game library referred to as Squirrel Engine is used to execute untrusted code and affects stable release branches 3.x and 2.x of Squirrel. The vulnerability was responsibly disclosed on August 10, 2021.
Squirrel is an open-source, object-oriented programming language that's used for scripting video games and as well as in IoT devices and distributed transaction processing platforms such as Enduro/X.
“In a real-world scenario, an attacker could embed a malicious Squirrel script into a community map and distribute it via the trusted Steam Workshop,” researchers Simon Scannell and Niklas Breitfeld said in a report shared with The Hacker News. “When a server owner downloads and installs this malicious map onto his server, the Squirrel script is executed, escapes its VM, and takes control of the server machine.”
The identified security flaw concerns an “out-of-bounds access via index confusion” when defining Squirrel classes that could be exploited to hijack the control flow of a program and gain full control of the Squirrel VM.
While the issue has been addressed as part of a code commit pushed on September 16, it's worth noting that the changes have not been included in a new stable release, with the last official version (v3.1) released on March 27, 2016. Maintainers who depend on Squirrel in their projects are highly recommended to apply the latest fixes by rebuilding it from source code in order to protect against any attacks.