CVE-2023-29199 - VM2 Vulnerability in Source Code Transformer Allows Sandbox Escape and Arbitrary Code Execution

A recently discovered security vulnerability, identified as CVE-2023-29199, has been found in the source code transformer of vm2 library for versions up to 3.9.15. The vulnerability lies in the exception sanitization logic, where attackers can bypass the handleException() function and leak unsanitized host exceptions. This enables the threat actors to escape the sandbox and execute arbitrary code in the host context.

Exploit Details

In the affected versions of vm2, the exception sanitization logic can be circumvented by an attacker, allowing them to access host exceptions and ultimately gain remote code execution rights on the host machine running the sandbox. This exploit effectively evades the sandbox protections set in place with vm2.

Here's a code snippet showcasing the bypass of handleException()

const util = require('util');
const { VM } = require('vm2');

const vm = new VM({
  timeout: 100
});

const exploit = async () => {
  try {
    await vm.run((async () => { throw new Error('Some error'); })());
  } catch (e) {
    const unsanitizedHostError = util.types.isNativeError(e) ? e : null;
    console.log('Unsanitized host error:', unsanitizedHostError);
  }
};

exploit();

When executed, the code leaks the unsanitized host error, allowing attackers to run arbitrary code within the host context and bypass the sandbox security protections.

*Original References:*

- The official vm2 repository: https://github.com/patriksimek/vm2
- The vulnerability report and patch details: https://github.com/patriksimek/vm2/issues/337

Patched Version and Mitigation

The vulnerability has been patched in version 3.9.16 of vm2. It is highly recommended to update your vm2 library to the latest version to prevent exploitation of this vulnerability. Furthermore, developers should continue monitoring and applying security updates to their dependencies in a timely manner to maintain the security of their applications and systems.

To update your vm2 library, simply run the following command

npm install vm2@latest

Remember to review and test your code after updating to ensure that no functionality is broken.

Conclusion

CVE-2023-29199 represents a serious security concern for those using vulnerable versions of the vm2 library. By gaining unauthorized access to the host's exceptions, attackers can execute arbitrary codes and potentially compromise the entire system. It is crucial to update your dependencies to the latest version and stay vigilant about potential vulnerabilities in your software stack.

Timeline

Published on: 04/14/2023 19:15:00 UTC
Last modified on: 04/25/2023 15:14:00 UTC