CVE-2020-35887 – This vulnerability in the arr crate for Rust al... (How to Fix)

📋 TL;DR

This vulnerability in the arr crate for Rust allows attackers to trigger buffer overflow conditions through Index and IndexMut operations. It affects any Rust application using vulnerable versions of the arr crate, potentially leading to arbitrary code execution or application crashes.

💻 Affected Systems

Products:

Rust applications using arr crate

Versions: arr crate versions through 2020-08-25

Operating Systems: All operating systems running Rust applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Rust applications that directly use the vulnerable arr crate functions.

📦 What is this software?

Arr by Arr Project

View all CVEs affecting Arr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crashes (denial of service) or memory corruption leading to unpredictable behavior.

🟢

If Mitigated

Application crashes without code execution if memory protections like ASLR are effective.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific inputs to trigger buffer overflow via Index/IndexMut operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: arr crate version after 2020-08-25

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0034.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to use arr crate version > 0.8.0
2. Run 'cargo update'
3. Rebuild and redeploy application
4. Restart affected services

🔧 Temporary Workarounds

Remove arr crate dependency

all

Replace arr crate functionality with alternative implementations

cargo remove arr
cargo build --release

🧯 If You Can't Patch

Implement input validation and bounds checking for all array operations
Deploy memory protection mechanisms (ASLR, DEP) and monitor for crashes

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock for arr crate version <= 0.8.0 or run 'cargo tree | grep arr'

Check Version:

grep arr Cargo.lock | head -1

Verify Fix Applied:

Verify arr crate version > 0.8.0 in Cargo.lock and test array operations with boundary inputs

📡 Detection & Monitoring

Log Indicators:

Application segmentation faults
Rust panic messages related to array bounds
Memory access violation logs

Network Indicators:

Unusual traffic patterns to services using arr crate
Repeated connection attempts followed by service crashes

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "panic" OR "array index out of bounds")

📊 Metadata

CVE ID: CVE-2020-35887

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: December 31, 2020

Last Updated: November 21, 2024

🔗 References

https://rustsec.org/advisories/RUSTSEC-2020-0034.html Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2020-0034.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35887, you might also want to check these: