CVE-2020-35860 – This vulnerability in the cbox crate for Rust a... (How to Fix)

Q: What is the severity of CVE-2020-35860?

CVE-2020-35860 has a CVSS score of 9.8 (CRITICAL). This vulnerability in the cbox crate for Rust allows dereferencing raw pointers without unsafe code requirements, potentially leading to memory corruption. It affects Rust applications using vulnerable versions of the cbox crate. Attackers could exploit this to execute arbitrary code or crash applications.

📋 TL;DR

This vulnerability in the cbox crate for Rust allows dereferencing raw pointers without unsafe code requirements, potentially leading to memory corruption. It affects Rust applications using vulnerable versions of the cbox crate. Attackers could exploit this to execute arbitrary code or crash applications.

💻 Affected Systems

Products:

Rust applications using cbox crate

Versions: cbox crate versions through 2020-03-19

Operating Systems: All operating systems running Rust applications

Default Config Vulnerable: ⚠️ Yes

Notes: Any Rust application importing and using the vulnerable cbox crate is affected regardless of configuration.

📦 What is this software?

Cbox by Cbox Project

View all CVEs affecting Cbox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crashes (denial of service) or memory corruption leading to unpredictable behavior.

🟢

If Mitigated

Limited impact if proper memory safety controls and sandboxing are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability allows bypassing Rust's memory safety guarantees, making exploitation straightforward for attackers familiar with Rust memory management.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: cbox crate version after 2020-03-19

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0005.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to use cbox crate version >0.1.0 (post-2020-03-19). 2. Run 'cargo update' to fetch the patched version. 3. Recompile and redeploy your Rust application.

🔧 Temporary Workarounds

Remove cbox dependency

all

Eliminate the vulnerability by removing the cbox crate dependency from your project.

cargo remove cbox

Pin to patched version

all

Force Cargo to use only patched versions of the cbox crate.

Add to Cargo.toml: cbox = ">0.1.0"

🧯 If You Can't Patch

Isolate affected applications in network segments with strict firewall rules.
Implement application sandboxing or containerization to limit potential damage from exploitation.

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock for cbox crate version 0.1.0 or earlier, or run 'cargo audit' to detect vulnerable dependencies.

Check Version:

grep -A2 'name = "cbox"' Cargo.lock

Verify Fix Applied:

Verify Cargo.lock shows cbox crate version >0.1.0, and 'cargo audit' reports no vulnerabilities for cbox.

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory access violation errors
Unexpected segmentation faults in Rust applications

Network Indicators:

Unusual outbound connections from Rust applications
Traffic patterns suggesting exploit attempts

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "memory corruption" OR "cbox")

📊 Metadata

CVE ID: CVE-2020-35860

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-476

Published: December 31, 2020

Last Updated: November 21, 2024

🔗 References

https://rustsec.org/advisories/RUSTSEC-2020-0005.html Exploit,Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2020-0005.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35860, you might also want to check these: