CVE-2022-24791

Use after free in Wasmtime

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after free vulnerability in Wasmtime when both running Wasm that uses externrefs and enabling epoch interruption in Wasmtime. If you are not explicitly enabling epoch interruption (it is disabled by default) then you are not affected. If you are explicitly disabling the Wasm reference types proposal (it is enabled by default) then you are also not affected. The use after free is caused by Cranelift failing to emit stack maps when there are safepoints inside cold blocks. Cold blocks occur when epoch interruption is enabled. Cold blocks are emitted at the end of compiled functions, and change the order blocks are emitted versus defined. This reordering accidentally caused Cranelift to skip emitting some stack maps because it expected to emit the stack maps in block definition order, rather than block emission order. When Wasmtime would eventually collect garbage, it would fail to find live references on the stack because of the missing stack maps, think that they were unreferenced garbage, and therefore reclaim them. Then after the collection ended, the Wasm code could use the reclaimed-too-early references, which is a use after free. Patches have been released in versions 0.34.2 and 0.35.2, which fix the vulnerability. All Wasmtime users are recommended to upgrade to these patched versions. If upgrading is not an option for you at this time, you can avoid the vulnerability by either: disabling the Wasm reference types proposal, config.wasm_reference_types(false); or by disabling epoch interruption if you were previously enabling it. config.epoch_interruption(false).

Wasmtime es un tiempo de ejecución independiente de estilo JIT para WebAssembly, usando Cranelift. Se presenta una vulnerabilidad de uso de memoria previamente liberada en Wasmtime cuando es ejecutado Wasm que usa externrefs y es habilitada la interrupción de época en Wasmtime. Si no está habilitando explícitamente la interrupción de época (está deshabilitada por defecto) entonces no está afectado. Si está deshabilitando explícitamente la propuesta de tipos de referencia de Wasm (está habilitada por defecto) entonces tampoco le afecta. El uso de memoria previamente liberada es causado por Cranelift que no emite mapas de pila cuando se presentan puntos de seguridad dentro de los bloques fríos. Los bloques fríos son producidos cuando la interrupción de la época está habilitada. Los bloques fríos son emitidos al final de las funciones compiladas, y cambian el orden en que son emitidos los bloques frente a los definidos. Esta reordenación causó accidentalmente que Cranelift omitiera la emisión de algunos mapas de pila porque esperaba emitir los mapas de pila en orden de definición de bloques, en lugar de en orden de emisión de bloques. Cuando Wasmtime recogía finalmente la basura, no encontraba referencias vivas en la pila debido a los mapas de pila faltantes, pensaba que eran basura no referenciada y, por tanto, los reclamaba. Entonces, una vez terminada la recolección, el código Wasm podía usar las referencias recuperadas demasiado pronto, lo cual es un uso de memoria previamente liberada. Han sido publicados parches en versiones 0.34.2 y 0.35.2, que corrigen la vulnerabilidad. Es recomendado a todos los usuarios de Wasmtime actualizar a estas versiones parcheadas. Si actualizar no es una opción para ti en este momento, puedes evitar la vulnerabilidad: deshabilitando la propuesta de tipos de referencia de Wasm, config.wasm_reference_types(false); o deshabilitando la interrupción de época si la estabas habilitando previamente. config.epoch_interruption(false)

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-10 CVE Reserved
2022-03-31 CVE Published
2023-10-22 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (2)

URL	Tag	Source
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-gwc9-348x-qwv2	Mitigation

URL	Date	SRC

URL	Date	SRC
https://github.com/bytecodealliance/wasmtime/commit/666c2554ea0e1728c35aa41178cf235920db888a	2022-04-08

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Bytecodealliance Search vendor "Bytecodealliance"		Wasmtime Search vendor "Bytecodealliance" for product "Wasmtime"				>= 0.34.0 < 0.34.2 Search vendor "Bytecodealliance" for product "Wasmtime" and version " >= 0.34.0 < 0.34.2"		rust		Affected
Bytecodealliance Search vendor "Bytecodealliance"		Wasmtime Search vendor "Bytecodealliance" for product "Wasmtime"				>= 0.35.0 < 0.35.2 Search vendor "Bytecodealliance" for product "Wasmtime" and version " >= 0.35.0 < 0.35.2"		rust		Affected