SOCRadar® Cyber Intelligence Inc. | Critical RCE Vulnerability with Max CVSS Score in VM2 Sandbox Library
Table Of Content
Home

Resources

Blog
Oct 12, 2022
3 Mins Read

Critical RCE Vulnerability with Max CVSS Score in VM2 Sandbox Library

A critical vulnerability in vm2 might let a remote attacker bypass the sandbox environment and execute shell commands on the device hosting the sandbox

To reduce the possibility that malicious code will harm the host machine it is running on, untrusted programs can run in an isolated environment known as a sandbox. 

With more than 16 million downloads per month, vm2 is a popular JavaScript sandbox module that allows untrusted code to run synchronously in a single process.

About the Vulnerability

Security researchers from Oxeye identified CVE-2022-36067 in August 2022 as a critical vulnerability in vm2 with a CVSS score of 10. Due to the vulnerability’s potentially wide-ranging effects, all vm2 users should be on high alert. 

Implementing a Node.js feature by vm2 maintainers that enables customizing the call stack of errors in the software testing framework is the primary cause of the vulnerability, which Oxeye’s researchers have called SandBreak

Node.js executes a specific method and passes an array of “CallSite” objects as arguments when an error occurs. The researchers clarify that some CallSite objects might return objects produced outside the sandbox. 

With control of one of the returned objects, an attacker may access Node’s global objects and execute arbitrary system commands from there, according to Oxeye. 

The researchers could also replace the global Error object with their own version, which also had a custom prepareStackTrace function. When it was called, it would discover a CallSite object outside the sandbox, allowing arbitrary code to be executed on the host. 

To reduce the risk, the prepareStackTrace function of the Error object and the called method were wrapped by the vm2 implementation so that users couldn’t override them. A hacker might still provide their own implementation of the prepareStackTrace method and bypass the sandbox because vm2 did not cover all specified methods. 

Mitigations 

On August 28, vm2 version 3.9.11 was released, fixing the SandBreak vulnerability; until now, no technical information on the vulnerability has been available. 

Oxeye requests that all vm2 sandbox instances in their environments be patched by AppSec engineers, R&D managers, and security experts

Sandboxes may not be secure even though they are designed for containment while running untrusted code inside your application. 

If using a sandbox is necessary, it is advised to isolate the microservice that runs the sandbox code from the logically sensitive part of your application. According to Yuval Ostrovsky, this will limit the attack surface if a threat actor successfully escapes the sandbox. 

Related Articles
SOCRadar® Cyber Intelligence Inc. | Docker Fixed an AuthZ Bypass Flaw Leading to Privilege Escalation: CVE-2024-41110
Docker Fixed an AuthZ Bypass Flaw Leading to Privilege Escalation: CVE-2024-41110
Jul 24, 2024
SOCRadar® Cyber Intelligence Inc. | Laravel Framework Affected by a New Critical Vulnerability (CVE-2024-40075): Patch Now
Laravel Framework Affected by a New Critical Vulnerability (CVE-2024-40075): Patch Now
Jul 24, 2024
SOCRadar® Cyber Intelligence Inc. | Suspicious Domains Exploiting the Recent CrowdStrike Outage!
Suspicious Domains Exploiting the Recent CrowdStrike Outage!
Jul 20, 2024
SOCRadar® Cyber Intelligence Inc. | CrowdStrike Update Causing Blue Screen of Death and Microsoft 365/Azure Outage
CrowdStrike Update Causing Blue Screen of Death and Microsoft 365/Azure Outage
Jul 19, 2024
SOCRadar® Cyber Intelligence Inc. | Critical Vulnerabilities in SolarWinds ARM, Serv-U, and Cisco SSM On-Prem, Secure Email Gateway Products
Critical Vulnerabilities in SolarWinds ARM, Serv-U, and Cisco SSM On-Prem, Secure Email Gateway Products
Jul 18, 2024