| Overview : |
| A logical error in bounds checking performed on vsock virtio descriptors can be used by a malicious guest to read from and write to a segment of the host-side Firecracker process’ heap address space, directly after the end of a guest memory region. For reads, the accessible segment’s size is 64 KiB. For writes, the accessible segment is limited by the host Linux kernel to a size defined in /proc/sys/net/core/rmem_max. We expect the value of rmem_max to be on the order of a few hundred KiB to a few MiB. |
| Affected Product(s) : |
|
| Vulnerability Details : |
||||
Remediation / Fixes :Patched binaries for the affected versions have been released as Firecracker v0.18.1 [1] and Firecracker v0.19.1 [2]. If you are using Firecracker v0.18.0 or v0.19.0 , we recommend you apply the provided fix. If you are using Firecracker v0.17.0 or below, you do not need to take any action. In a remote code execution scenario, users running Firecracker in line with the recommended Production Host Setup will see the impact limited as follows: a malicious microVM guest that would manage to compromise the Firecracker VMM process would be restricted to running on the host as an unprivileged user, in a chroot and mount namespace isolated from the host’s filesystem, in a separate pid namespace, in a separate network namespace, with system calls limited to Firecracker’s seccomp whitelist, on a single NUMA node, and on a cgroups-limited number of CPU cores. [1] https://github.com/firecracker-microvm/firecracker/releases/tag/v0.18.1 [2] https://github.com/firecracker-microvm/firecracker/releases/tag/v0.19.1 |
