10/10 CVSS for Rust (and other's) CreateProcess implementation, CVE-2024-24576

[rcmaehl]

TL;DR: Create_Process calls cmd.exe if passed a .bat or .cmd file, however the non-standard character escaping of cmd.exe allows arbitrary code execution.

NVD - CVE-2024-24576 (nist.gov)
https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows

[TheDcoder]

The 10/10 rating for this is highly inaccurate, that should only be reserved for fully remote arbitrary code execution. I agree with the points made in this video:

 

[Andreik]

2 hours ago, TheDcoder said:

The 10/10 rating for this is highly inaccurate

Not necessarily. If the scoring implies just the severity, this CVSS is technically correct, but it's very unlikely to find this exploit in the wild. Since there are other scores to measure other metrics of an exploit, this CVSS might reflect just a calitative metric, without taking in consideration a quantitative metric, so the scoring in this case it's accurate. If an overall score it's meant then yes, it's over rated.

[TheDcoder]

8 hours ago, Andreik said:

If the scoring implies just the severity, this CVSS is technically correct

Then every code execution vulnerability should get this rating... but they don't.

[Andreik]

Saying that you over simplify the scoring process. It not that simple, code execution doesn't automatically mean maximum severity or same score for all kind of vulnerabilities in that class. They score a vulnerability in a given implementation and since they linked this vulnerability to rust programming language (in a stupid way) that's probably the reason why this vulnerability it's scored such high.