Other official information and services: www.belgium.be

WARNING: A RCE VULNERABILITY IN VM2 JAVASCRIPT LIBRARY COULD LEAD TO A SANDBOX ESCAPE, PoC IS AVAILABLE, PATCH IMMEDIATELY!

Reference:

Advisory #2023-57

Version:

1.0

Affected software:

All Java vm2 versions prior to version 3.9.18

Type:

Remote code execution (RCE) & defense evasion

CVE/CVSS:

CVE-2023-32314, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-32313, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Date:

16/05/2023

Sources

https://github.com/patriksimek/vm2/security/advisories

Risks

Two critical vulnerabilities (CVE-2023-32313
and CVE-2023-32314) were patched in the release of new versions of the vm2 JavaScript sandbox library.

Successful exploitation of CVE-2023-32314 allows a threat actor to bypass the sandbox protections and gain remote code execution rights on the host running the sandbox.

Successful exploitation of CVE-2023-32313 allows a treat actor to interact with the logging capabilties and hide its activity during an attack.

Successful exploitation has a high impact on Confidentiality, Integrity and Availability.

Proof of concept code is published, near future exploitation is highly likely.

The Centre for Cybersecurity Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity.

If you have already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident

Description

Vm2 is a well-known JavaScript sandbox library that is used by software, including IDEs, code editors, and various security tools. It allows partial code execution on isolated Node.js servers while securing system resources and external data from unauthorized access.

CVE-2023-32314 is a critical sandbox escape vulnerability that abuses an unexpected creation of a host object based on the specification of proxy.

CVE-2023-32313 is defense evasion vulnerability where an attacker can get a read-write reference to the node inspect method and edit options for the console's log function. This enables a threat actor to evade detection for instance by creating misleading error messages and hiding its tracks.

Recommended Actions

The Centre for Cybersecurity Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity.

Patches are available in the release of new versions of vm2 JavaScript sandbox library

If you have already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident