Squirrel Engine Bug Can Allow Hackers to hack games and Cloud Services
Reading Time: < 1 minute

Researchers have discovered a vulnerability in Squirrel programming language, the Squirrel engine bug can allow hackers to hack games and cloud services. The vulnerability was disclosed responsibly on August 10, 2021.

The vulnerability is tracked as CVE-2021-41556, the issue occurs when a game library referred to as Squirrel Engine is used to execute untrusted code, it affects the stable release branches 3.x and 2.x of Squirrel.

Squirrel is an open-source, object-oriented programming language. It is used for scripting video games, IoT devices and distributed transaction processing platforms such as Enduro/X.

Simon Scannell and Niklas Breitfeld in a blog post said, “In a real-world scenario, an attacker could embed a malicious Squirrel script into a community map and distribute it via the trusted Steam Workshop,” “When a server owner downloads and installs this malicious map onto his server, the Squirrel script is executed, escapes its VM, and takes control of the server machine.”

The flaw detected consists of “out-of-bounds access via index confusion” when defining Squirrel classes. These can be exploited to hijack the control flow of a program and gain full control of the Squirrel VM.

The issue has been addressed in a code commit pushed on September 16. The changes have not been included in a new stable release, with the last official version (v3.1) released on March 27, 2016. Developers using Squirrel in their projects are highly recommended to apply the latest fixes by rebuilding it from source code in order to protect against any attacks.

Related Articles:

Chinese government website for Qinghai Province was hacked by Anonymous
New Zero Day Vulnerability for Windows – Update your Windows PC immediately
Over 30 Countries Pledge to Fight Ransomware Attacks in US-led Global Meeting