CVE-2020-35857 – This vulnerability in the trust-dns-server Rust... (How to Fix)

📋 TL;DR

This vulnerability in the trust-dns-server Rust crate before version 0.18.1 allows remote attackers to cause denial of service via stack consumption by sending specially crafted DNS MX or SRV records with null targets. It affects any system running trust-dns-server versions 0.18.0 and earlier.

💻 Affected Systems

Products:

trust-dns-server

Versions: All versions before 0.18.1

Operating Systems: All platforms running Rust applications using trust-dns-server

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using trust-dns-server crate; other DNS implementations are not affected.

📦 What is this software?

Trust Dns Server by Trust Dns Server Project

View all CVEs affecting Trust Dns Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of DNS resolution capabilities, potentially affecting all dependent services.

🟠

Likely Case

DNS server crashes or becomes unresponsive, disrupting name resolution for clients.

🟢

If Mitigated

Limited impact with proper rate limiting and monitoring; service may degrade but not fully fail.

🌐 Internet-Facing: HIGH - DNS servers are typically internet-facing and can be targeted by remote attackers.

🏢 Internal Only: MEDIUM - Internal DNS servers could still be targeted by compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted DNS queries; proof-of-concept code is available in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.18.1

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0001.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to specify trust-dns-server >= 0.18.1
2. Run 'cargo update' to fetch the patched version
3. Rebuild and redeploy the application
4. Restart the DNS server service

🔧 Temporary Workarounds

DNS Query Filtering

all

Block or filter DNS queries containing MX or SRV records with null targets at network perimeter.

Rate Limiting

all

Implement rate limiting on DNS queries to prevent rapid exploitation attempts.

🧯 If You Can't Patch

Implement network-based intrusion detection to monitor for suspicious DNS query patterns
Deploy redundant DNS servers with load balancing to maintain service during attacks

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or run 'cargo tree | grep trust-dns-server' to see if version is < 0.18.1

Check Version:

grep trust-dns-server Cargo.lock | head -1

Verify Fix Applied:

Verify trust-dns-server version is 0.18.1 or later in Cargo.lock after update

📡 Detection & Monitoring

Log Indicators:

DNS server crash logs
High memory consumption alerts
Unusual number of MX/SRV queries

Network Indicators:

Spike in DNS queries to target server
DNS queries with malformed MX/SRV records

SIEM Query:

source="dns_logs" AND (query_type="MX" OR query_type="SRV") AND target="" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2020-35857

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: December 31, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/bluejekyll/trust-dns/commit/8b9eab05795fdc098976262853b2498055c7a8f3
https://rustsec.org/advisories/RUSTSEC-2020-0001.html Exploit,Third Party Advisory
https://github.com/bluejekyll/trust-dns/commit/8b9eab05795fdc098976262853b2498055c7a8f3
https://rustsec.org/advisories/RUSTSEC-2020-0001.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35857, you might also want to check these: