Patch Released for Critical vm2 Sandbox Escape Vulnerability (CVE-2023-29017, CVE-2023-29199 and CVE-2023-30547)

Description

UPDATE April 19 2023: Updated to include another sandbox vulnerability in vm2 (CVE-2023-30547).


Earlier this week, an update was released for a critical sandbox escape vulnerabilities in vm2 (CVE-2023-29017 and CVE-2023-29199) , which ultimately allows for remote code execution by an attacker. vm2 is a widely used module within the Node.js library that provides a sandbox environment. Successfully exploiting both vulnerabilities allows attackers to execute untrusted code on the host system by running and escaping a sandbox on the vulnerable vm2 modules.

On April 17th, vm2 was updated to version 3.9.17 in response to another sandbox vulnerability in vm2 (CVE-2023-30547).


Why is this Significant?

This is significant because vm2 is a popular built-in module in Node.js. Furthermore - proof-of-concept (PoC) code is publicly available for CVE-2023-29017, CVE-2023-29199 and CVE-2023-30547. Although the latest vm2 version (3.9.17) includes a fix for the CVE's , threat actors are expected to exploit these soon - due to availability of publicly available POCs. As such, users should upgrade vm2 to version 3.9.16 as soon as possible.


What is CVE-2023-29017?

The vulnerability leverages vulnerable vm2 versions not properly handling host objects passed to "Error.prepareStackTrace" in case of unhandled async errors. Successfully exploiting the vulnerability allows attackers to execute untrusted code on the host system by running a sandbox created by the vulnerable vm2 modules.


Is an Advisory Available for CVE-2023-29017?

Yes, see the Appendix for a link to "Sandbox Escape (CVE-2023-29017)".


What Version of vm2 is Vulnerable to CVE-2023-29017?

vm2 versions 3.9.15 and prior are vulnerable to CVE-2023-29017.


What is the CVSS score for CVE-2023-29017?

The vulnerability has a CVSS score of 9.8 and is rated "CRITICAL" according to the advisory page for vm2.


What is CVE-2023-29199?

CVE-2023-29199 is a sandbox escape vulnerability for vm2 caused by an improper leak of unsanitized host exceptions. This type of vulnerability could allow an attacker to execute untrusted code on the host running a sandbox created by the vulnerable vm2 modules.


The vulnerability has a CVSS score of 9.8 and is rated "CRITICAL" according to the advisory.


What Version of vm2 is Vulnerable CVE-2023-29199?

vm2 versions 3.9.15 and prior are vulnerable to CVE-2023-29199.


Is an Advisory Available for CVE-2023-29199?

Yes, see the Appendix for a link to "Sandbox Escape (CVE-2023-29199)".


Is a Patch Available for CVE-2023-29199?

Yes, the issue is fixed in vm2 version 3.9.16 or later.


What is CVE-2023-30547?

CVE-2023-30547 is a sandbox escape vulnerability for vm2 caused by an improper leak of unsanitized host exceptions. This type of vulnerability could allow an attacker to execute untrusted code on the host running a sandbox created by the vulnerable vm2 modules.


The vulnerability has a CVSS score of 9.8 and is rated "CRITICAL" according to the advisory.


What Version of vm2 is Vulnerable CVE-2023-30547?

vm2 versions 3.9.16 and prior are vulnerable to CVE-2023-30547.


Is an Advisory Available for CVE-2023-30547?

Yes, see the Appendix for a link to "Sandbox Escape (CVE-2023-30547)".


Is a Patch Available for CVE-2023-30547?

Yes, the issue is fixed in vm2 version 3.9.17 or later.


How Widespread is the Issue?

At this time, it appears to be unknown. This could become a major issue given the popularity of vm2. While there are no reports of the vulnerabilities being widely exploited in the wild, threat actors will start incorporating them in their arsenal, as PoCs are becoming readily available.


What is the Status of Protection?

FortiGuard Labs has updated IPS signature "vm2.Sandbox.Error.prepareStackTrace.Remote.Code.Execution" to include CVE-2023-29017, CVE-2023-29199 and CVE-2023-30547, and released it in version 23.534.

FortiGuard Labs has an Outbreak Alert page published for this issue under "VM2 Sandbox Escape Vulnerability" which contains additional details on protections available beyond AV and IPS coverage.


Any Recommended Mitigation?

Currently no known mitigation is available. Users should update vm2 to 3.9.17 as soon as possible.

description-logoOutbreak Alert

vm2 is a sandbox solution that can run untrusted code with whitelisted Node's built-in modules. Exploiting the flaws, threat actors can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

View the full Outbreak Alert Report

Telemetry