Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Remote Code Execution Vulnerability Found in vm2 Sandbox Library

A critical vulnerability in vm2 may allow a remote attacker to escape the sandbox and execute arbitrary code on the host.

A highly popular JavaScript sandbox library with more than 16 million monthly downloads, vm2 supports the execution of untrusted code synchronously in a single process.

A critical vulnerability in vm2 may allow a remote attacker to escape the sandbox and execute arbitrary code on the host.

A highly popular JavaScript sandbox library with more than 16 million monthly downloads, vm2 supports the execution of untrusted code synchronously in a single process.

In August 2022, security researchers with Oxeye discovered CVE-2022-36067, a critical-severity defect in vm2 assessed with a CVSS score of 10 and which should put all vm2 users on alert, due to its potential widespread impact.

The root cause of the vulnerability, which Oxeye’s researchers have named SandBreak, resides in the way vm2 maintainers implemented a Node.js feature that allows them to customize the call stack of errors in the software testing framework.

“While reviewing the previous bugs disclosed to the vm2 maintainers, we noticed an interesting technique: the bug reporter abused the error mechanism in Node.js to escape the sandbox,” Oxeye senior security researcher Gal Goldshtein said.

When an error occurs, Node.js calls a specific method and provides it with an array of ‘CallSite’ objects as arguments. Some of the CallSite objects, the researchers explain, may return objects created outside the sandbox.

An attacker controlling one of the returned objects may “access Node’s global objects and execute arbitrary system commands from there”, Oxeye says.

To mitigate the risk, the vm2 implementation wrapped objects and the called method (the prepareStackTrace function of the Error object) in a manner that prevented users from overriding it.

However, because they did not wrap all specific methods, an attacker could provide their own implementation of the prepareStackTrace method and escape the sandbox.

Oxeye’s researchers were also able to override the global Error object with their own implementation that also included a custom prepareStackTrace function. When called, it would find a CallSite object outside the sandbox, allowing for the execution of arbitrary code on host.

The SandBreak vulnerability was addressed with the release of vm2 version 3.9.11 on August 28, but technical details on the bug have not been provided until now. 

Oxeye calls for AppSec engineers, R&D leaders, and security professionals to make sure that all vm2 sandbox instances within their environments are patched.

“Although sandboxes are meant to run untrusted code within your application, you shouldn’t automatically assume that they are safe. If the use of a sandbox is unavoidable, it is recommended to separate the logical sensitive part of your application from the microservice that runs the sandbox code so if a threat actor successfully breaks out from the sandbox, the attack surface is limited to the isolated microservice,” Oxeye architect Yuval Ostrovsky said.

Related: Two Remote Code Execution Vulnerabilities Patched in WhatsApp

Related: NVIDIA Patches Code Execution Vulnerabilities in Graphics Driver

Related: Many Internet-Exposed Servers Affected by Exploited Redis Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.