Other official information and services: www.belgium.be

Warning: 2 Critical vulnerabilities in discontinued VM2 JavaScript library could lead to Remote Code Execution

Référence:

Advisory #2023-92

Version:

1.0

Logiciels concernés :

VM2 all versions (<= 3.9.19)

Type:

Sandbox escape, Remote Code Execution (RCE)

CVE/CVSS:

CVE-2023-37466:CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-37903:CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Date:

07/08/2023

Sources

https://github.com/patriksimek/vm2

https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5

https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4

Risques

The VM2 sandbox vulnerabilities could lead to Remote Code Execution, which can have severe impact to the confidentiality, integrity, and availability of the affected system. Attack complexity is low and no authentication is required to exploit these vulnerabilities.

The maintainer of the project announced on the 11^th of July that the project is discontinued and no further patches will be made available to fix the vulnerabilities or any other future issue.

The advisories further disclose that proof-of-concept (PoC) code will be released on or after the 5^th of September, which will make the exploitation of the weaknesses easier and more likely to occur.

Description

VM2 is a well-known JavaScript sandbox library that is used by software, including IDEs, code editors, and various security tools. It allows partial code execution on isolated Node.js servers while securing system resources and external data from unauthorized access.

The project got recently deprecated and short after two sandbox escape vulnerabilities were disclosed. The difference is in the way the sandbox is escaped.

CVE-2023-37466 is a critical sandbox escape vulnerability, where the "Promise" handler sanitization can be bypassed and can lead to Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.

CVE-2023-37903 is a critical sandbox escape vulnerability, where the Node.js custom inspect function can be exploited and can lead to a Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.

Actions recommandées

The Centre for Cybersecurity Belgium strongly recommends to stop using the discontinued VM2 project for production as soon as possible. The developer of the project suggests users to migrate their code to the "isolated-vm" project. This project has not been verified by the CCB. Users are advised to make an assessment on how they will substitute this project for their existing needs.