Sandbreak – A Critical Remote Code Execution Bug Found in Widely Used vm2 JavaScript Sandbox

In the JavaScript sandbox library vm2, the cybersecurity analysts at Oxeye analysis group possess currently stumbled on a extreme RCE flaw dubbed, “Sandbreak.”

Thru the NPM equipment repository, the vm2 sandbox library achieves a complete of 16 million downloads every month because it is with out doubt one of the critical critical popular JavaScript sandboxes.

CVE-2022-36067 is the CVE ID that has been assigned to the vm2 vulnerability. As a result, the CVSS has assigned a severity rep of 10.0 to this vulnerability, which is the very best rep conceivable.

An attacker can circumvent the vm2 ambiance by exploiting the CVE-2022-36067 vulnerability. After the a success exploitation of this vulnerability, the attacker is ready to rush shell commands on the system of the victim running inner a sandboxed ambiance.

Flaw Profile

• CVE ID: CVE-2022-36067
• Description: A ways-off execution vulnerability in vm2 sandbox library
• CVSS Discover: 10
• Severity: Extreme
• Position: Patched

Technical Analysis

As of August 28, 2022, version 3.9.11 has been launched to handle this principal vulnerability. With the built-in module enable listed, vm2 is with out doubt one of the critical critical popular Node libraries for running untrusted code inner the digital machine.

The vm2 maintainers are believed to possess applied a Node.js characteristic in an nervous formula, which has been the muse cause on the support of this vulnerability.

An error that happens in VM2 would possibly possibly maybe presumably furthermore be customized in reveal to generate an object called a “CallSite”, that would possibly possibly maybe presumably just be used to customize the call stack.

Attributable to this, it is conceivable to manufacture commands and access the worldwide objects of Node.js out of doorways of the sandbox by increasing these objects.

Oxeye’s researchers stumbled on a plan to circumvent the mitigation mechanism used by the library’s authors, which served as a plot of limiting the potential of this going down in the previous. While to develop this, the “prepareStackTrace” plan would possibly possibly maybe presumably furthermore be customized in reveal to blueprint this action.

Advice

VM2 was notified about this principal express a pair of days after Oxeye stumbled on it on August 16, 2022. A version of three.9.11, which addresses this express, was launched on August 28, 2022, by the authors of the VM2 library.

Functions that fabricate employ of the Sandbox with out any patches would possibly possibly maybe presumably face alarming penalties as a results of the exploitation of CVE-2022-36067.

In response to this, cybersecurity experts possess strongly quick that users would possibly possibly maybe presumably just unexcited abruptly install version 3.9.11 of the software program, in reveal to give protection to themselves.

Block extra Intense DDoS Attacks Below 5 Minutes, Always Enable Multi-layered Protection.