Critical RCE Vulnerability with Max CVSS Score in VM2 Sandbox Library
A critical vulnerability in vm2 might let a remote attacker bypass the sandbox environment and execute shell commands on the device hosting the sandbox.
To reduce the possibility that malicious code will harm the host machine it is running on, untrusted programs can run in an isolated environment known as a sandbox.
With more than 16 million downloads per month, vm2 is a popular JavaScript sandbox module that allows untrusted code to run synchronously in a single process.
About the Vulnerability
Security researchers from Oxeye identified CVE-2022-36067 in August 2022 as a critical vulnerability in vm2 with a CVSS score of 10. Due to the vulnerability’s potentially wide-ranging effects, all vm2 users should be on high alert.
Implementing a Node.js feature by vm2 maintainers that enables customizing the call stack of errors in the software testing framework is the primary cause of the vulnerability, which Oxeye’s researchers have called SandBreak.
Node.js executes a specific method and passes an array of “CallSite” objects as arguments when an error occurs. The researchers clarify that some CallSite objects might return objects produced outside the sandbox.
With control of one of the returned objects, an attacker may access Node’s global objects and execute arbitrary system commands from there, according to Oxeye.
The researchers could also replace the global Error object with their own version, which also had a custom prepareStackTrace function. When it was called, it would discover a CallSite object outside the sandbox, allowing arbitrary code to be executed on the host.
To reduce the risk, the prepareStackTrace function of the Error object and the called method were wrapped by the vm2 implementation so that users couldn’t override them. A hacker might still provide their own implementation of the prepareStackTrace method and bypass the sandbox because vm2 did not cover all specified methods.
Mitigations
On August 28, vm2 version 3.9.11 was released, fixing the SandBreak vulnerability; until now, no technical information on the vulnerability has been available.
Oxeye requests that all vm2 sandbox instances in their environments be patched by AppSec engineers, R&D managers, and security experts.
Sandboxes may not be secure even though they are designed for containment while running untrusted code inside your application.
If using a sandbox is necessary, it is advised to isolate the microservice that runs the sandbox code from the logically sensitive part of your application. According to Yuval Ostrovsky, this will limit the attack surface if a threat actor successfully escapes the sandbox.