JavaScript sandbox vm2 remediates remote code execution risk

Ben Dixon Oct 4, 2022 12:48 UTC

Updated: Nov 25, 2022 10:52 UTC

Affected companies have been warned of bugs that increase the potential impact of using vm2 in production

A bug in vm2, a popular JavaScript sandbox environment, could allow malicious actors to bypass sandbox protections and stage remote code execution (RCE) on the host device.

Downloaded over 4 million times a week, Vm2 creates a secure context on your Node.js server to run untrusted code without compromising your server.

The potential impact of the vulnerability, given a CVSS score of up to 10, was heightened by the fact that vm2 was used in production as well as development environments.

“Interesting technique”

This security flaw was discovered by Oxeye Security researchers Gal Goldshtein and Yuval Ostrovsky. “Our usual approach when evaluating the security of a particular piece of software is to first analyze previous security flaws found in the same piece of software,” he told Oxeye’s security team. Daily Swig.

Recommended Patching common vulnerabilities at scale: project promises bulk pull requests

“This helps us get a better sense of the available attack surface and can also lead to easy bugs resulting from incomplete fixes.

“While reviewing previous bugs disclosed to the vm2 maintainers, we noticed an interesting technique. The bug reporter was abusing Node.js’s error mechanism to evade the sandbox.”

Channel between sandbox and host

Like some previous bugs found in vm2, the new bug relies on the channel that the sandbox uses to communicate with the host machine. In this case the bug was caused by improper exception handling.

“The bug we found relied on a technique that is very common in the VM bypass world, which is finding elements in the sandbox and making them work with elements outside the sandbox.” said the researchers.

“If this connection is found, it gives the attacker an opportunity to interact with the hosting process.”

This channel allows an attacker to execute arbitrary code on the Node.js server, including calling functions that execute system commands.

The team aims to release a technical review and details of the bug soon. The only way to prevent exploitation is to upgrade to the latest version of vm2.

“For running untrusted code”

“The fact that this library is in production use is not surprising, mainly due to the fact that it has over 16 million monthly downloads,” said the researchers. “We are in the process of responsible disclosure with several companies that discovered this vulnerability.”

In a separate advisory, RedHat released a list of services affected by the vm2 flaw.

This isn’t the first time vm2 has patched sandbox bypass, it just highlights the difficulty of securing a sandbox environment.

“Sandboxes are generally intended to run untrusted code within an application. This means that they should not automatically assume they are safe,” the researchers said. I’m here.

“If the use of sandboxes is unavoidable, it’s a good idea to separate the logical and sensitive parts of your application from the microservices that run the sandboxed code. This allows attackers to If successfully escaped from, the attack surface is limited to isolated microservices.”

don’t forget to read Rancher Stored Sensitive Values ​​in Cleartext and Risked Hijacking of Kubernetes Clusters