CVE-2020-35889
📋 TL;DR
This vulnerability in the crayon Rust crate is a Time-of-Check Time-of-Use (TOCTOU) issue that can lead to memory safety violations via HandleLike. Attackers could exploit this to cause crashes or potentially execute arbitrary code. Any Rust application using vulnerable versions of the crayon crate is affected.
💻 Affected Systems
- crayon Rust crate
📦 What is this software?
Crayon by Crayon Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Application crashes (denial of service) or memory corruption leading to unstable behavior.
If Mitigated
Limited impact due to memory safety protections in Rust, but still potential for crashes.
🎯 Exploit Status
Exploitation requires precise timing and specific conditions due to TOCTOU nature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2020-08-31
Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0037.html
Restart Required: Yes
Instructions:
1. Update Cargo.toml to use crayon version > 0.8.31
2. Run 'cargo update --package crayon'
3. Rebuild and redeploy your application
4. Restart affected services
🔧 Temporary Workarounds
Remove crayon dependency
allTemporarily remove or replace crayon crate with alternative if possible
cargo remove crayon
🧯 If You Can't Patch
- Isolate affected applications in network segments
- Implement strict access controls and monitoring
🔍 How to Verify
Check if Vulnerable:
Check Cargo.lock for crayon version ≤ 0.8.31Check Version:
grep -A2 'name = "crayon"' Cargo.lockVerify Fix Applied:
Verify crayon version > 0.8.31 in Cargo.lock after update📡 Detection & Monitoring
Log Indicators:
- Application crashes
- Memory access violation errors
- Panic messages related to crayon
Network Indicators:
- Unusual process behavior from Rust applications
SIEM Query:
process.name:rust AND (event.type:crash OR error.message:"crayon")