CVE-2021-42574
📋 TL;DR
This vulnerability exploits Unicode's bidirectional text algorithm to create source code that appears benign to human reviewers but contains malicious logic when compiled. It affects any software that processes Unicode text, particularly compilers and interpreters that accept Unicode input. Attackers can use this to hide vulnerabilities in source code repositories.
💻 Affected Systems
- All software using Unicode bidirectional algorithm
- Compilers accepting Unicode (GCC, Clang, etc.)
- Interpreters (Python, JavaScript, etc.)
- Code editors and IDEs
- Version control systems
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Starwind Virtual San by Starwindsoftware
Unicode by Unicode
⚠️ Risk & Real-World Impact
Worst Case
Attackers could embed backdoors, malware, or logic bombs in open-source projects that go undetected during code review, leading to supply chain attacks affecting millions of users.
Likely Case
Targeted attacks against specific organizations through poisoned dependencies or malicious contributions to codebases, potentially leading to data breaches or system compromise.
If Mitigated
With proper Unicode security controls and code review tools, the risk is significantly reduced to occasional false positives in legitimate bidirectional text.
🎯 Exploit Status
Exploitation requires ability to submit source code to vulnerable systems. Proof-of-concept examples exist in security advisories showing how to create misleading code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Varies by software - refer to Unicode Technical Standard #39 and Unicode Standard Annex #31 for implementation guidance
Vendor Advisory: https://www.unicode.org/reports/tr36/
Restart Required: No
Instructions:
1. Review Unicode Technical Report #36 for understanding. 2. Implement mitigations from Unicode Technical Standard #39. 3. Apply Unicode Standard Annex #31 for identifier validation. 4. Update compilers/interpreters to detect and reject suspicious bidirectional sequences.
🔧 Temporary Workarounds
Enable Unicode security features
allConfigure applications to use Unicode security mechanisms that detect and prevent misleading bidirectional sequences
Application-specific - consult documentation for enabling Unicode Technical Standard #39 compliance
Code review tooling
allImplement pre-commit hooks and CI checks that scan for bidirectional Unicode characters in source code
git config --global filter.unicode.clean 'sed -e "s/[\u202a-\u202e\u2066-\u2069]//g"'
Add pre-commit hook to detect bidirectional characters
🧯 If You Can't Patch
- Implement strict code review processes with tools that highlight bidirectional Unicode characters
- Restrict source code submissions to ASCII-only character sets where possible
🔍 How to Verify
Check if Vulnerable:
Test if your application properly handles bidirectional Unicode sequences by submitting test code with U+202E (RIGHT-TO-LEFT OVERRIDE) charactersCheck Version:
Check Unicode support version in application documentation or via application-specific commandsVerify Fix Applied:
Verify that applications reject or properly display bidirectional sequences according to Unicode Technical Standard #39📡 Detection & Monitoring
Log Indicators:
- Source code submissions containing bidirectional control characters (U+202A-U+202E, U+2066-U+2069)
- Compilation errors related to Unicode parsing
Network Indicators:
- Unusual patterns in code repository access preceding suspicious commits
SIEM Query:
source_code_scan:bidi_unicode_characters OR unicode_control_sequence_detected🔗 References
- http://www.openwall.com/lists/oss-security/2021/11/01/1
- http://www.openwall.com/lists/oss-security/2021/11/01/4
- http://www.openwall.com/lists/oss-security/2021/11/01/5
- http://www.openwall.com/lists/oss-security/2021/11/01/6
- http://www.openwall.com/lists/oss-security/2021/11/02/10
- http://www.unicode.org/versions/Unicode14.0.0/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/
- https://security.gentoo.org/glsa/202210-09
- https://trojansource.codes
- https://www.kb.cert.org/vuls/id/999008
- https://www.scyon.nl/post/trojans-in-your-source-code
- https://www.starwindsoftware.com/security/sw-20220804-0002/
- https://www.unicode.org/reports/tr31/
- https://www.unicode.org/reports/tr36/
- https://www.unicode.org/reports/tr39/
- https://www.unicode.org/reports/tr9/tr9-44.html#HL4
- http://www.openwall.com/lists/oss-security/2021/11/01/1
- http://www.openwall.com/lists/oss-security/2021/11/01/4
- http://www.openwall.com/lists/oss-security/2021/11/01/5
- http://www.openwall.com/lists/oss-security/2021/11/01/6
- http://www.openwall.com/lists/oss-security/2021/11/02/10
- http://www.unicode.org/versions/Unicode14.0.0/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/
- https://security.gentoo.org/glsa/202210-09
- https://trojansource.codes
- https://www.kb.cert.org/vuls/id/999008
- https://www.scyon.nl/post/trojans-in-your-source-code
- https://www.starwindsoftware.com/security/sw-20220804-0002/
- https://www.unicode.org/reports/tr31/
- https://www.unicode.org/reports/tr36/
- https://www.unicode.org/reports/tr39/
- https://www.unicode.org/reports/tr9/tr9-44.html#HL4
