Vm2 JavaScript Library Flaw Can Lead to Remote Code Execution
Two serious issues that may be used to bypass the sandbox security have been fixed by a new series of fixes for the vm2 JavaScript framework.
Versions 3.9.16 and 3.9.17, which respectively patch the problems CVE-2023-29199 and CVE-2023-30547, are scored 9.8 out of 10 on the CVSS grading system.
CVE-2023-29199 : For versions of VM2 up to 3.9.15, there is a flaw in the source code transformer (exception sanitization logic) that enables attackers to circumvent ‘handleException()’ and leak unsanitized host exceptions. These exceptions can then be leveraged to breach the sandbox and execute arbitrary code in host context. Threat actors are capable of getting through the sandbox’s security measures and gaining access to the host where the sandbox is running. Version ‘3.9.16’ of ‘vm2’ was released with a fix for this issue.
CVE-2023-30547: In vm2, a sandbox, whitelisted Node modules can be used to run untrusted programmes. For versions of vm2 up to 3.9.16, there is a flaw in the exception sanitization that enables attackers to raise an unsanitized host exception inside ‘handleException()’ and use it to bypass the sandbox and execute arbitrary code in host context. Version ‘3.9.17’ of ‘vm2’ was released with a fix for this issue. There are no known solutions to this weakness. Users are encouraged to update.
By successfully exploiting the flaws, an attacker might run arbitrary code in the host context and leave the sandbox by raising an unclean host exception.
The maintainers of the vm2 library issued a warning saying that “a threat actor can circumvent the sandbox protections to gain remote code execution rights on the host running the sandbox.”
See more: Foreign Diplomatic Entities targeted by Russia Linked Hackers
Security researcher SeungHyun Lee is credited with finding and disclosing the flaws. He has also made proof-of-concept (PoC) exploits available for the two problems in question.
A week ago, vm2 patched another sandbox escape vulnerability (CVE-2023-29017, CVSS score: 9.8) that might allow arbitrary code to be executed on the underlying system.
See more: Former Conti Members and Fin7 APT Unite to Unleash New Domino Backdoor
It’s important to remember that late last year, researchers from Oxeye published details of the Sandbreak vulnerability, a serious remote code execution flaw in vm2 (CVE-2022-36067, CVSS score: 9.8).
We hope you found article interesting. For more exclusive content follow us on Facebook, Twitter and LinkedIn
