CVE-2020-35883 – This vulnerability in the mozwire Rust crate al... (How to Fix)

Q: What is the severity of CVE-2020-35883?

CVE-2020-35883 has a CVSS score of 9.1 (CRITICAL). This vulnerability in the mozwire Rust crate allows attackers to perform directory traversal attacks, enabling them to overwrite local configuration files ending with .conf. Any Rust application using the vulnerable mozwire crate versions is affected, potentially allowing file system manipulation.

📋 TL;DR

This vulnerability in the mozwire Rust crate allows attackers to perform directory traversal attacks, enabling them to overwrite local configuration files ending with .conf. Any Rust application using the vulnerable mozwire crate versions is affected, potentially allowing file system manipulation.

💻 Affected Systems

Products:

mozwire Rust crate

Versions: All versions through 2020-08-18

Operating Systems: All platforms running Rust applications using mozwire

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Rust applications that use the mozwire crate. The vulnerability is present in the crate itself, not dependent on specific application configurations.

📦 What is this software?

Mozwire by Mozwire Project

View all CVEs affecting Mozwire →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through overwriting critical configuration files, potentially leading to privilege escalation, service disruption, or remote code execution.

🟠

Likely Case

Local file corruption or unauthorized modification of application configuration files, causing service disruption or data integrity issues.

🟢

If Mitigated

Limited impact with proper file permission controls and sandboxing, potentially only affecting non-critical configuration files.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires some level of access, internet-facing applications using this crate could be targeted if other vulnerabilities provide initial access.

🏢 Internal Only: MEDIUM - Internal applications remain vulnerable to authenticated users or attackers who gain internal network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the ability to influence file paths processed by the vulnerable crate functions. No public exploit code has been documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2020-08-18

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0030.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to use mozwire version > 0.1.0 (post 2020-08-18). 2. Run 'cargo update mozwire'. 3. Rebuild and redeploy your application. 4. Restart affected services.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject any file paths containing directory traversal sequences like '../'

Implement custom validation logic in your application code

File permission restrictions

linux

Set strict file permissions on .conf files to prevent unauthorized writes

chmod 644 *.conf
chown root:root *.conf

🧯 If You Can't Patch

Implement application-level input validation to sanitize all file path inputs
Use file system monitoring to detect unauthorized modifications to .conf files

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or Cargo.toml for mozwire dependency version. If version is <= 0.1.0 (from 2020-08-18 or earlier), the application is vulnerable.

Check Version:

grep -A2 -B2 mozwire Cargo.lock || grep mozwire Cargo.toml

Verify Fix Applied:

Verify mozwire version in Cargo.lock is > 0.1.0 and the build date is after 2020-08-18.

📡 Detection & Monitoring

Log Indicators:

Unexpected file write operations to .conf files
File path inputs containing '../' sequences
Failed file permission errors on configuration files

Network Indicators:

Unusual network patterns if exploit leads to further compromise

SIEM Query:

source="application.log" AND ("../" OR "directory traversal" OR "conf file modified")

📊 Metadata

CVE ID: CVE-2020-35883

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-22

Published: December 31, 2020

Last Updated: November 21, 2024

🔗 References

https://rustsec.org/advisories/RUSTSEC-2020-0030.html Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2020-0030.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35883, you might also want to check these: