www.belgium.be Logo of the federal government

WARNING: A RCE VULNERABILITY IN VM2 JAVASCRIPT LIBRARY COULD LEAD TO A SANDBOX ESCAPE, PATCH IMMEDIATELY!

Référence: 
Advisory #2023-43
Version: 
1.0
Logiciels concernés : 
vm2 JavaScript library
Type: 
Remote code execution (RCE)
CVE/CVSS: 

CVE-2023-29199 CVSS:9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-30547 CVSS:9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Date: 
19/04/2023

Sources

https://nvd.nist.gov/vuln/detail/CVE-2023-29199
https://nvd.nist.gov/vuln/detail/CVE-2023-30547

Risques

Two critical vulnerabilities (CVE-2023-29199 and CVE-2023-30547) were patched in the release of new versions of the vm2 JavaScript sandbox library.

Successful exploitation of CVE-2023-29199 and CVE-2023-30547 allows an attacker to bypass the sandbox protections and gain remote code execution rights on the host running the sandbox.

Successful exploitation has a high impact on Confidentiality, Integrity and Availability.

Proof of concept code is published, near future exploitation is highly likely.

The Centre for Cybersecurity Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity.

If you have already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident

Description

Vm2 is a well-known JavaScript sandbox library that is used by software, including IDEs, code editors, and various security tools. It allows partial code execution on isolated Node.js servers while securing system resources and external data from unauthorized access.

A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

CVE-2023-29199 and CVE-2023-30547 originate in the exception sanitization logic allowing attackers to bypass the `handleException()` function which could leak unsanitized host exceptions.
 

Actions recommandées

The Centre for Cybersecurity Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity.

Patches are available in the release of new versions of vm2 JavaScript sandbox library:

•    CVE-2023-29199 was patched in version 3.9.16
•    CVE-2023-30547 was patched in  version 3.9.17

If you have already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident

 

Références

https://thehackernews.com/2023/04/critical-flaws-in-vm2-javascript.html?m=1