Source: cve@mitre.org
An issue was discovered in the ordnung crate through 2020-09-03 for Rust. compact::Vec violates memory safety via a remove() double free.
CVE-2020-35891 exposes a critical memory safety flaw in the ordnung crate for Rust, leading to a double-free vulnerability. Successful exploitation can result in arbitrary code execution, potentially allowing attackers to compromise affected systems and gain complete control. This vulnerability poses a significant risk due to its potential for system-level compromise.
Step 1: Initialization: A compact::Vec is initialized with a specific capacity and populated with data.
Step 2: Triggering the Vulnerability: The remove() function of compact::Vec is called with specific index parameters. The exact parameters needed to trigger the double-free depend on the internal implementation details of the remove() function and the state of the compact::Vec.
Step 3: Memory Corruption: Due to the logic error, the remove() function attempts to deallocate the same memory region twice. This corrupts the heap.
Step 4: Heap Exploitation (Optional): The attacker can then leverage the corrupted heap to overwrite other data structures, such as function pointers or control data.
Step 5: Code Execution (Optional): By overwriting a function pointer with the address of attacker-controlled code, the attacker can achieve arbitrary code execution.
The vulnerability lies within the compact::Vec implementation in the ordnung crate for Rust. The remove() function, when used under specific conditions, fails to properly manage memory, leading to a double-free. This occurs when the function attempts to deallocate the same memory region twice. The root cause is a logic error in how the remove() function handles the internal data structures of the compact::Vec. Specifically, the code incorrectly calculates or updates the internal pointers or metadata related to memory allocation and deallocation. This leads to the same memory being freed multiple times, which can corrupt the heap and enable attackers to overwrite other data structures, potentially leading to arbitrary code execution.
No specific APT groups or malware families are directly linked to this CVE. However, the nature of the vulnerability (double-free leading to potential code execution) makes it attractive to attackers. The risk is elevated if the affected crate is used in a widely deployed application or service. CISA KEV status: Not Listed.
Monitor system logs for unexpected crashes or segmentation faults, especially those related to memory management.
Analyze core dumps generated after crashes to identify double-free conditions using tools like gdb or valgrind.
Implement memory safety checks and fuzzing during development and testing to identify similar vulnerabilities proactively.
Network traffic analysis may not directly reveal exploitation, but unusual network behavior after a crash could indicate a successful attack.
Update the ordnung crate to a patched version (if available).
If updating is not immediately possible, review the code that uses the ordnung crate and implement workarounds to avoid triggering the vulnerability, such as carefully validating input parameters to the remove() function.
Implement robust memory safety practices during development, including the use of memory sanitizers (e.g., AddressSanitizer, MemorySanitizer) to detect memory errors.
Regularly scan dependencies for known vulnerabilities using tools like cargo audit or other vulnerability scanners.
Consider using a memory-safe language or library if possible.