'[oss-security] CVE-2020-16843: Firecracker v0.20.0, v0.21.0 and v0.21.1 network stack can freeze und'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2020-16843: Firecracker v0.20.0, v0.21.0 and v0.21.1 network stack can freeze und
From:       "Iorga, Serban" <seriorga () amazon ! com>
Date:       2020-08-13 8:38:15
Message-ID: 1597307893318.52919 () amazon ! com
[Download RAW message or body]


We have identified an issue in the Firecracker v0.20.0, v0.21.0 and v0.21.1=
 virtio-net emulation.

# Issue Description

Under heavy network ingress traffic, when the host TAP interface's receive =
queue is not drained and the guest virtio-net device's receive queue is ful=
l, the microVM network interface ingress can freeze. There is no possibilit=
y to recover from this state, resulting in a denial of service on the micro=
VM when it is configured with a single network interface, and causing an av=
ailability problem for the microVM network interface on which the issue is =
triggered.

This issue is difficult to reproduce with TCP traffic. The TCP congestion a=
lgorithm makes it harder to fill both the TAP interface and virtio receive =
queues.

# Impact

When this issue is triggered, the guest kernel network interface will no lo=
nger receive packets.

# Vulnerable Systems

Firecracker releases v0.20.0, v0.21.0 and v0.21.1 are affected.

# Mitigation

Patched binaries mitigating this issue have been released as Firecracker v0=
.20.1[1] and Firecracker v0.21.2[2].
If you are using Firecracker v0.20.0, v0.21.0 or v0.21.1, we recommend you =
apply the provided fix. If you are using Firecracker v0.19.1 or below, you =
do not need to take any action.

[1] https://github.com/firecracker-microvm/firecracker/releases/tag/v0.20.1
[2] https://github.com/firecracker-microvm/firecracker/releases/tag/v0.21.2

Best Regards,
Serban Iorga on behalf of the Firecracker maintainers team.

Amazon Development Center (Romania) S.R.L. registered office: 27A Sf. Lazar=
 Street, UBC5, floor 2, Iasi, Iasi County, 700045, Romania. Registered in R=
omania. Registration number J22/2621/2005.





Amazon Development Center (Romania) S.R.L. registered office: 27A Sf. Lazar=
 Street, UBC5, floor 2, Iasi, Iasi County, 700045, Romania. Registered in R=
omania. Registration number J22/2621/2005.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic