Wasmtime WebAssembly Runtime Denial-of-Service Vulnerability via WASIp1 Import Functions

A denial-of-service vulnerability has been identified in the Wasmtime WebAssembly runtime, specifically within versions prior to 24.0.4, 33.0.2, and 34.0.2. The issue arises in Wasmtime's implementation of the WASIp1 import functions, where a WebAssembly guest can induce a panic in the host embedder. This vulnerability is triggered by calling 'path_open' after 'fd_renumber' with either two equal argument values or a second argument that matches a previously closed file descriptor number. The corruption from 'fd_renumber' causes the subsequent file descriptor opening to panic. While this panic cannot cause memory unsafety or allow WebAssembly to escape its sandbox, it represents a denial-of-service vector for WebAssembly embedders, thus qualifying as a security issue in Wasmtime.

Impact

Exploitation of this vulnerability causes a panic in the host embedder, disrupting the normal execution flow and potentially leading to a denial-of-service condition.

Reproduction

To reproduce this vulnerability, a WebAssembly guest must be provided with a preopened directory, allowing it to open additional file descriptors. The guest can then call 'fd_renumber' with either two equal values or a value corresponding to a closed file descriptor, followed by a 'path_open' call. This sequence will trigger the panic in the host.

Remediation

Users should update to Wasmtime versions 24.0.4, 33.0.2, or 34.0.2. Instructions for updating can be found in the Wasmtime release process documentation.