Blog Post: "Attacking Firecracker: AWS' microVM Monitor Written in Rust"

[xmarcalx]

This blog post [1] investigates a Firecracker issue, CVE-2019-18960 [2], which was uncovered in 2019 and affected Firecracker versions 0.18.0 and 0.19.0. Support for the affected Firecracker versions 0.18.0 and 0.19.0 ended in 2019. The issue in the affected versions was in the vsock implementation and could result in the DoS of the guest kernel. Firecracker’s affected versions were patched and released as Firecracker v0.18.1 [3] and Firecracker v0.19.1 [4] in 2019.

Current Firecracker supported versions are v1.1.0 [5] and v1.1.1 [6] and are not affected by CVE-2019-18960. Firecracker verifies the entire range of a guest-provided buffer maps to a valid memory region.

[1] https://www.graplsecurity.com/post/attacking-firecracker
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18960
[3] https://github.com/firecracker-microvm/firecracker/releases/tag/v0.18.1
[4] https://github.com/firecracker-microvm/firecracker/releases/tag/v0.19.1
[5] https://github.com/firecracker-microvm/firecracker/releases/tag/v1.1.0
[6] https://github.com/firecracker-microvm/firecracker/releases/tag/v1.1.1

Best Regards,
Marco on behalf of the Firecracker maintainers team.