Critical Spin Framework Flaw: Sandbox Escape Vulnerability Exposed (CVE-2024-32980)

The Spin project, an open-source framework designed for building and running secure and fast cloud microservices using WebAssembly, has recently issued a critical security advisory. The advisory pertains to a significant vulnerability, identified as CVE-2024-32980, which carries a high-risk score of 9.1 on the Common Vulnerability Scoring System (CVSS). This vulnerability has the potential to allow network sandbox escapes in specifically configured Spin applications.

CVE-2024-32980 affects Spin applications under certain conditions where the application makes internal requests without specifying a URL authority. Attackers can exploit this vulnerability by manipulating the Host HTTP header to induce the application to make requests to arbitrary hosts. This flaw exposes affected systems to potential security breaches, including unauthorized data access and service disruptions.

An application becomes vulnerable under the following circumstances:

1. Routing Based on URL: The environment hosting the Spin runtime must route requests based on the request URL, not the Host header, and must retain the Host header as originally set by the client.
2. Configuration of allowed_outbound_hosts: The application’s component handling the request should have its allowed_outbound_hosts list include “self”.
3. Outbound Request Handling: Upon receiving an incoming request, the affected component may issue an outbound request that lacks a hostname or port in its URL.

If all these conditions are met, Spin will erroneously use the inbound request’s Host header as the authority part of the URL for the outbound request if no hostname is explicitly provided.

It’s noteworthy that applications hosted on Fermyon’s Fermyon Cloud, a serverless product, are not affected by this vulnerability. The configuration and operational models of Fermyon Cloud inherently prevent such an exploitation scenario.

Spin has responded swiftly with the release of version 2.4.3, which addresses this vulnerability. Users of the Spin framework are urged to update to this latest version immediately to protect their applications from potential exploits.

For those unable to immediately upgrade, the Spin project has outlined several workarounds:

• Host Header Sanitization: Ensure that the Host header is appropriately sanitized to match the application to which a request is routed.
• Explicit Hostname in URL: Modify outgoing requests to always include the hostname in the URL, and use this hostname in the allowed_outbound_hosts list, rather than “self”.
• Intra-application Service Chaining: Utilize application-internal service chaining for handling intra-application requests, especially in Spin version 2.4 environments.