CVE-2021-42574: 
NixOS vulnerability analysis and mitigation

An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. This vulnerability, tracked as CVE-2021-42574 and discovered by Nicholas Boucher and Ross Anderson of the University of Cambridge, allows adversaries to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers ([TROJANSOURCE], [CERT-VN]).

The vulnerability exploits Unicode bidirectional (Bidi) control characters embedded in comments and string literals to produce visually deceptive source code files. By carefully placing these control characters, attackers can visually reorder the source code so that it is displayed differently than how it is processed by the compiler or interpreter. The attack works by making comments appear as if they were code, or vice versa, allowing malicious code to be hidden from human code reviewers while still being executed by compilers ([RUST-BLOG], [SCYON]).

The impact of this vulnerability is significant, particularly in the context of software supply chains. If an adversary successfully commits targeted vulnerabilities into open source code by deceiving human reviewers, downstream software will likely inherit the vulnerability. The attack can be used to introduce vulnerabilities invisibly into source code that passes through code review ([TROJANSOURCE], [CERT-VN]).

Mitigations include: 1) Compilers and interpreters should throw errors or warnings for unterminated bidirectional control characters in comments or string literals. 2) Code editors and repository frontends should make bidirectional control characters perceptible with visual symbols or warnings. 3) Language specifications should formally disallow unterminated bidirectional control characters in comments and string literals. For example, Rust 1.56.1 adds new lints to detect and reject code containing the affected codepoints ([RUST-BLOG], [TROJANSOURCE]).

Multiple organizations released parallel security advisories and implemented mitigations, including Rust, Red Hat, and GitHub. Rust released version 1.56.1 with new lints to detect these characters. GitHub added warnings about bidirectional Unicode text. The security community recognized this as a novel attack vector that could have significant implications for code review and supply chain security ([RUST-BLOG], [TROJANSOURCE]).