Squirrel Engine Bug Could Let Attackers Hack Games and Cloud Services

squirrel game programming language

Researchers have disclosed an out-of-bounds read vulnerability in the Squirrel programming language that can be abused by attackers to break out of the sandbox restrictions and execute arbitrary code within a SquirrelVM, thus giving a malicious actor complete access to the underlying machine.

Tracked as CVE-2021-41556, the issue occurs when a game library referred to as Squirrel Engine is used to execute untrusted code and affects stable release branches 3.x and 2.x of Squirrel. The vulnerability was responsibly disclosed on August 10, 2021.

Automatic GitHub Backups

Squirrel is an open-source, object-oriented programming language that’s used for scripting video games and as well as in IoT devices and distributed transaction processing platforms such as Enduro/X.

“In a real-world scenario, an attacker could embed a malicious Squirrel script into a community map and distribute it via the trusted Steam Workshop,” researchers Simon Scannell and Niklas Breitfeld said in a report shared with The Hacker News. “When a server owner downloads and installs this malicious map onto his server, the Squirrel script is executed, escapes its VM, and takes control of the server machine.”

The identified security flaw concerns an “out-of-bounds access via index confusion” when defining Squirrel classes that could be exploited to hijack the control flow of a program and gain full control of the Squirrel VM.

Prevent Data Breaches

While the issue has been addressed as part of a code commit pushed on September 16, it’s worth noting that the changes have not been included in a new stable release, with the last official version (v3.1) released on March 27, 2016. Maintainers who depend on Squirrel in their projects are highly recommended to apply the latest fixes by rebuilding it from source code in order to protect against any attacks.

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.