A bug in vm2, a popular JavaScript sandbox environment, could allow malicious actors to bypass sandbox protections and stage remote code execution (RCE) on the host device.
Vm2, which has more than four million downloads per week, creates a secure context in Node.js servers to run untrusted code without compromising the server.
The potential impact of the vulnerability, which was given a maximum possible CVSS score of 10, was elevated by the fact that vm2 is used in production as well as developer environments.
‘Interesting technique’
The security flaw was discovered by Oxeye Security researchers Gal Goldshtein and Yuval Ostrovsky. “Our usual approach when evaluating a given software’s security is first to analyze the previous security lapses discovered in the same software,” the Oxeye security team told The Daily Swig.
“This helps us better grasp the available attack surface and may also lead to low-hanging bugs stemming from incomplete fixes.
“While reviewing the previous bugs disclosed to the vm2 maintainers, we noticed an interesting technique: the bug reporter abused the error mechanism in Node.js to escape the sandbox.”
Channels between sandbox and host
Like several previous bugs found in vm2, the new bug relies on the channels the sandbox uses to communicate with the host machine. In this case, the bug was caused by improper exception handling.
“The bug we found relies on a technique that is quite common in the VM bypass world, which is to find elements within the sandbox that can cooperate with elements outside of it,” the researchers said.
“This connection, when found, gives the attacker the opportunity to interact with the hosting process.”
This channel allows the attacker to run arbitrary code on the Node.js server, including invoking functions that run system commands.
The team aims to release a technical review of the bug with more details soon. The only way to prevent exploits is to upgrade to the newest version of vm2.
‘Meant to run untrusted code’
“We weren’t surprised by the fact that this library is used in production environments, mainly due to the fact that it has over 16 million downloads per month,” the researchers said. “We are in the process of responsible disclosure with several companies where we found this vulnerability in.”
In a separate advisory, RedHat has released a list of its services that are affected by the vm2 flaw.
This is not the first time that vm2 has patched a sandbox bypass, which only highlights the difficulties of securing sandbox environments.
“Sandboxes in general are meant to run untrusted code within an application. This means that you shouldn’t automatically assume that they are safe,” the researchers said.
“If the use of a sandbox is unavoidable, we recommend separating the logical, sensitive part of the application from the microservice that runs the sandbox code so if a threat actor successfully breaks out from the sandbox, the attack surface is limited to the isolated microservice.”
Source: https://portswigger.net/daily-swig/javascript-sandbox-vm2-remediates-remote-code-execution-risk