Wasmtime, Memory Safety Violation, CVE-2024-45xx (Critical)

By /

Listen to this Post

The CVE-2024-45xx vulnerability in Wasmtime stems from an unsoundness in its safe Rust API, allowing a WebAssembly shared linear memory to be incorrectly represented and accessed. The flaw exists because the `wasmtime::Memory` type, which is designed for non-shared memories and provides safe Rust accessors like &

</code>, could be erroneously used for shared memories. Shared memories, governed by the `wasmtime::SharedMemory` type, require synchronized access as they can be modified in parallel by multiple threads. Using the `wasmtime::Memory` API on such memory breaks Rust's safety guarantees, leading to potential data races. This occurred through two primary methods: the `wasmtime::Memory::new` constructor incorrectly accepted a shared <code>MemoryType</code>, and core dumps would capture shared memories as <code>wasmtime::Memory</code>, both performing unsynchronized reads.
Platform: Wasmtime
Version: <24.0.5, <36.0.3, <37.0.3, <38.0.4
Vulnerability : Memory Safety
Severity: Critical
date: 2024-01-XX
<h2 style="color: blue;">Prediction: 2024-02-XX</h2>

<h2 style="color: blue;">What Undercode Say:</h2>

[bash]
cargo audit
cargo update wasmtime

// UNSAFE: Creating a shared memory with Memory::new (Vulnerable)
let memory_type = MemoryType::shared(10, 20); // Shared memory type
let memory = Memory::new(&mut store, memory_type).unwrap(); // This was incorrectly allowed
// SAFE: Creating a shared memory with SharedMemory::new (Patched)
let shared_mem = SharedMemory::new(&mut store, memory_type).unwrap();

How Exploit:

An attacker can instantiate a shared WebAssembly memory and access it concurrently from multiple host threads. By exploiting the incorrect `&[bash]` view provided by wasmtime::Memory, they can trigger a data race. This race condition can be used to read inconsistent memory states, potentially leaking sensitive information or causing application crashes and corruption.

Protection from this CVE:

Upgrade to Wasmtime version 24.0.5, 36.0.3, 37.0.3, 38.0.4 or later. These patched versions reject shared memory creation via `Memory::new` and exclude shared memories from core dumps. If an immediate upgrade is not possible, disable core dumps and ensure `SharedMemory::new` is used exclusively for creating shared memories.

Impact:

Data races in host application, memory corruption, information disclosure, application crash.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top