Описание
Wasmer filesystem sandbox not enforced
Summary
As of Wasmer version v4.2.3, Wasm programs can access the filesystem outside of the sandbox.
Details
https://github.com/wasmerio/wasmer/issues/4267
PoC
A minimal Rust program:
This should be compiled with cargo build --target wasm32-wasi. The compiled program, when run with wasmer WITHOUT --dir, can still create a file in the working directory.
Impact
Service providers running untrusted Wasm code on Wasmer can unexpectedly expose the host filesystem.
Ссылки
- https://github.com/wasmerio/wasmer/security/advisories/GHSA-4mq4-7rw3-vm5j
- https://nvd.nist.gov/vuln/detail/CVE-2023-51661
- https://github.com/wasmerio/wasmer/issues/4267
- https://github.com/wasmerio/wasmer/commit/4d63febf9d8b257b0531963b85df48d45d0dbf3c
- https://github.com/wasmerio/wasmer/commit/e3923612c23123025c26f982d390e34df7df030f
Пакеты
wasmer-cli
>= 3.0.0, < 4.2.4
4.2.4
Связанные уязвимости
Wasmer is a WebAssembly runtime that enables containers to run anywhere: from Desktop to the Cloud, Edge and even the browser. Wasm programs can access the filesystem outside of the sandbox. Service providers running untrusted Wasm code on Wasmer can unexpectedly expose the host filesystem. This vulnerability has been patched in version 4.2.4.