JavaScript sandbox vm2 addresses remote code execution risk

Affected companies are alerted to a bug whose potential impact is increased by the use of vm2 in production environments

A bug in vm2, a popular JavaScript sandbox environment, could allow malicious actors to bypass sandbox protections and stage remote code execution (RCE) on the host device.

Vm2, which has over four million downloads per week, creates a secure context in Node.js servers to run untrusted code without compromising the server.

The potential impact of the vulnerability, which was assigned a maximum possible CVSS score of 10, was elevated by the fact that vm2 is used in production and development environments.

“Interesting technology”

The security flaw was discovered by Oxeye Security researchers Gal Goldshtein and Yuval Ostrovsky. “Our usual approach when evaluating the security of any given software is to first analyze previous security vulnerabilities discovered in the same software,” said Oxeye’s security team. The daily sip.

RECOMMENDED Patch common vulnerabilities at scale: Project promises mass pull requests

“This helps us better understand the available attack surface and can also lead to bugs at hand resulting from incomplete fixes.

“While reviewing previous bugs disclosed to vm2 maintainers, we noticed an interesting technique: the bug reporter abused the error mechanism in Node.js to escape the sandbox.”

Channels between sandbox and host

Like several previous bugs found in vm2, the new bug relies on the channels the sandbox uses to communicate with the host machine. In this case, the bug was caused by poor exception handling.

“The bug we found relies on a fairly common technique in the VM workaround world, which is to find things in the sandbox that can cooperate with things outside of it,” the researchers said. .

“This connection, when found, gives the attacker the ability to interact with the hosting process.”

This channel allows the attacker to execute arbitrary code on the Node.js server, in particular by invoking functions that execute system commands.

The team aims to release a technical review of the bug with more details soon. The only way to prevent exploits is to upgrade to the latest version of vm2.

“Designed to run untrusted code”

“We weren’t surprised that this library was used in production environments, primarily due to the fact that it has over 16 million downloads per month,” the researchers said. “We are in the process of responsibly disclosing with multiple companies where we have found this vulnerability.”

In a separate advisory, RedHat published a list of its services that are affected by the vm2 flaw.

This isn’t the first time vm2 has patched a sandbox bypass, which only highlights the difficulties of securing sandbox environments.

“Generally, sandboxes are meant to run untrusted code in an application. This means you shouldn’t automatically assume they’re safe,” the researchers said.

“If the use of a sandbox is unavoidable, we recommend that you separate the logical and sensitive part of the application from the microservice that runs the sandbox code. That way, if a malicious actor manages to break out of the sandbox to sand, the attack surface is limited to the isolated microservice.”

DON’T FORGET TO READ Breeder stored sensitive values ​​in the clear, risking taking control of the Kubernetes cluster

Comments are closed.