CVE-2023-29199: Critical Sandbox Escape Vulnerability in VM2 library
The vulnerability, dubbed CVE-2023-29199, affects VM2 versions up to 3.9.15 and resides in the library’s source code transformer, specifically in the exception sanitization logic. This flaw allows attackers to bypass the handleException() function and leak unsanitized host exceptions. The result? A gateway for threat actors to escape the sandbox and execute arbitrary code in the host context. The discovery and disclosure of this critical vulnerability are thanks to Xion (SeungHyun Lee) of the KAIST Hacking Lab.
As if the discovery of the vulnerability wasn’t concerning enough, a security researcher has released proof-of-concept exploit code on GitHub in a secret repository. This move has raised the stakes, as it makes it easier for malicious actors to take advantage of the vulnerability and wreak havoc in the digital world.
Fortunately, the vulnerability has been patched in the release of version 3.9.16 of VM2. However, the release of the exploit code means that developers and organizations must act swiftly to update their systems, ensuring that they are protected from the potential exploits that could arise from this vulnerability.
With no available workarounds for CVE-2023-29199, it is imperative for users of VM2 to update to the latest version as soon as possible to mitigate the risks associated with this vulnerability.
CVE-2023-29199 highlights the potential dangers of running untrusted code in a virtualized environment. With the release of exploit code and the widespread usage of VM2, it’s crucial for developers and organizations to take swift action in updating their systems to the latest patched version.