Amazon Firecracker Out-of-Bounds Write Vulnerability in Virtio PCI Transport Allowing Potential Host Code Execution

A vulnerability has been identified in Amazon Firecracker versions 1.13.0 through 1.14.3 and 1.15.0, on both x86_64 and aarch64 architectures. The issue arises from an out-of-bounds write in the virtio PCI transport, which could allow a local guest user with root privileges to crash the Firecracker Virtual Machine Monitor (VMM) process or potentially execute arbitrary code on the host. This exploitation is achieved by modifying virtio queue configuration registers after the device has been activated. However, executing code on the host requires additional conditions, such as using a custom guest kernel or specific snapshot configurations.

Impact

Exploitation of this vulnerability can lead to a process panic, causing a denial-of-service condition, or out-of-bounds writes of up to 524,284 bytes beyond the virtio queues, into the Firecracker process's host memory.

Remediation

Users should upgrade to Firecracker versions 1.14.4 or 1.15.1 and later. If PCI transport is enabled, it can be disabled by removing the '--enable-pci' flag from the Firecracker command-line invocation. Note that switching from PCI to MMIO transport may reduce I/O throughput and increase latency.