{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cranelift/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Wasmtime"],"_cs_severities":["critical"],"_cs_tags":["wasmtime","cranelift","aarch64","sandbox-escape","memory-corruption"],"_cs_type":"advisory","_cs_vendors":["Wasmtime"],"content_html":"\u003cp\u003eA critical vulnerability has been identified in Wasmtime's Cranelift compilation backend specifically affecting aarch64 architectures. This flaw stems from a miscompilation of heap accesses, leading to incorrect address calculations within guest WebAssembly modules. This allows a malicious guest module to bypass memory bounds checks and gain unauthorized read/write access to the host system's memory. The vulnerability is present in Wasmtime versions prior to 36.0.7, between 37.0.0 and 42.0.2, and version 43.0.0. Successful exploitation requires specific conditions: 64-bit WebAssembly linear memories must be in use (\u003ccode\u003eConfig::wasm_memory64\u003c/code\u003e enabled, which is the default), and either Spectre mitigations or signals-based-traps must be disabled. This vulnerability allows a sandbox escape enabling attackers to compromise the host system from within the WebAssembly runtime.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious WebAssembly module is loaded into Wasmtime.\u003c/li\u003e\n\u003cli\u003eThe module is compiled using the Cranelift backend on an aarch64 architecture.\u003c/li\u003e\n\u003cli\u003eThe module contains a heap access operation of the form \u003ccode\u003eload(iadd(base, ishl(index, amt)))\u003c/code\u003e where \u003ccode\u003eamt\u003c/code\u003e is a constant.\u003c/li\u003e\n\u003cli\u003eCranelift miscompiles this load instruction due to an incorrect mask applied to the \u003ccode\u003eamt\u003c/code\u003e value during instruction selection.\u003c/li\u003e\n\u003cli\u003eThe WebAssembly module performs a bounds check on the intended memory address.\u003c/li\u003e\n\u003cli\u003eDue to the miscompilation, the address used for the actual load operation is different from the address used in the bounds check, effectively bypassing the check.\u003c/li\u003e\n\u003cli\u003eThe module performs an arbitrary read or write operation to host memory outside of the WebAssembly sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control or extracts sensitive information from the host system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a malicious WebAssembly module to escape the Wasmtime sandbox. This grants the attacker the ability to read and write arbitrary memory locations on the host system, leading to potential data exfiltration, privilege escalation, or complete system compromise. The vulnerability affects applications and systems that rely on Wasmtime for sandboxed execution of WebAssembly code on aarch64 architectures, potentially impacting a wide range of services and infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Wasmtime version 36.0.7, 42.0.2, or 43.0.1 or later to patch the vulnerability as described in the \u003ca href=\"https://github.com/advisories/GHSA-jhxm-h53p-jm7w\"\u003eWasmtime advisory\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, ensure that Spectre mitigations are enabled in your Wasmtime configuration as a workaround.\u003c/li\u003e\n\u003cli\u003eAs an alternative workaround, disable \u003ccode\u003eConfig::wasm_memory64\u003c/code\u003e if your application does not require 64-bit WebAssembly linear memories.\u003c/li\u003e\n\u003cli\u003eMonitor systems running Wasmtime on aarch64 architectures for anomalous memory access patterns that could indicate exploitation of this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-wasmtime-sandbox-escape/","summary":"A critical sandbox escape vulnerability exists in Wasmtime's Cranelift compilation backend on aarch64, allowing guest WebAssembly modules to bypass bounds checks and achieve arbitrary read/write access to host memory under specific configuration conditions.","title":"Wasmtime Cranelift AArch64 Sandbox Escape Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-wasmtime-sandbox-escape/"}],"language":"en","title":"CraftedSignal Threat Feed - Cranelift","version":"https://jsonfeed.org/version/1.1"}