CVE-2021-42574 - Unrendered unicode bidirectional override characters may impact apps with code visualizing components

A vulnerability has been identified where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter.

Technical details

Several popular development tools were found to be vulnerable to bidirectional character based trojan source attack, where bidirectional override control characters affecting the display order of text can be embedded in source code, making it appear different to users than to compilers.

For example, when you copy and paste a code snippet with bidirectional override characters to a vulnerable code editor/block, unicode characters that change the order of the text are not displayed. Many websites and online editors don’t render these special characters, so a developer could unintentionally introduce an attacker’s code into their own codebase by copying and pasting a code snippet from another vulnerable website, without realizing it. More info on Bidi unicodes security considerations can be found in the Unicode standard.

An illustration of bidirectional character in code:

Mitre has issued CVE-2021-42574 against the Unicode specification and will be used for tracking the primary attack pattern which uses Bidi control characters.

Severity

Atlassian rates the severity level of this vulnerability as high, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own app and IT environment.

Impact to Atlassian

Fixed versions of impacted Atlassian Cloud, Server, and Data Center products have been released to mitigate this vulnerability. A security advisory is published as a general guidance to customers about our impacted products.

What does it mean for my app?

Atlaskit packages @atlaskit/editor-core, @atlaskit/editor-common, @atlaskit/renderer, and @atlaskit/code are also affected by CVE-2021-42574. Apps that make use of these components are also potentially vulnerable to bidirectional character based trojan source attack.

Patches for these Atlaskit packages have been released to provide a visual representation of bidirectional unicodes. App developers who resolve these Atlaskit packages into their codebase are recommended to upgrade to the following patched versions:

  • @atlaskit/code@14.2.0
  • @atlaskit/editor-common@60.3.0
  • @atlaskit/editor-core@151.1.0
  • @atlaskit/renderer@82.1.0

However, If your app does not use Atlaskit but makes use of an embedded code editor or a script console that does not visualize bidirectional unicode characters, then your app may be likely vulnerable.

Upgrading to patched versions of 3rd party code visualizing components or using an alternative library that highlights unicode characters are possible solutions to mitigate the potential risk from this vulnerability.

If you have any questions or concerns, please reply to this thread or raise a support request at https://support.atlassian.com/.

Resources

8 Likes

Would it be a possible solution to just strip these characters from being displayed?

As for our app I would simply remove these UTF-8 chars before displaying the content.

UPDATE: We will also fix it the same way as Atlassian does it by simply displaying the chars as yellow badges in the code.

2 Likes

Hi @clouless,

It is completely up to the app developers to decide whether these bidirectional characters are to be disallowed or removed from the content. It is not listed as a possible solution due to the fact that it does not support legitimate use cases and does not allow users to make the decision for themselves.

Thanks,
Srivathsav Gandrathi
Ecosystem Security Team

2 Likes

@SrivathsavGandrathi Do I get it right that the primary attack mechanism to exploit this would be to embed invisible or hard to detect code into a useful / harmless piece of code that then gets inserted into a context where it can be executed?

To make it more concrete: I write a Confluence page about “Getting started with Bash scripting” containing an example “echo ‘Hello world’” that I ask my reader to execute in their terminal and then the actual code is “echo ‘Hello world’ && rm -rf /”?

(Btw. I do get that there are other ways: e.g. submitting PRs to OSS or proprietary software that contain these bidi characters to confuse/trick reviewers).

Best, Chris

2 Likes

@christoffer - yes.

We didn’t think this was completely clear so we wrote a thing that hopefully illustrates this a bit: https://www.adaptavist.com/blog/trojan-codes-in-atlassian-products-and-scriptrunner

6 Likes

Hi @christoffer, please note that CVE-2021-42574 primarily refers to the vulnerability of only bidirectional override characters not being displayed and not any other contents of the code. While it is possible to obfuscate the true logic of source code by embedding these Unicode characters that change the display order of the text, it is not possible to hide other characters that are not Bidi unicodes.

Yes, PR is one of the ways to sneak in potential vulnerabilities into a product using these unrendered unicodes.

Thanks,
Srivathsav Gandrathi
Ecosystem Security Team

1 Like

Hi @jechlin,
thanks for sharing - good idea to put it into the context of your apps. We have a similar ‘setup’ where some feature/apps can be used as a transport mechanism, others could even be used a means to execute such an attack.
Cheers, Chris

1 Like

awesome blogpost :slight_smile: :+1: :tada: