Exploit available for critical RCE (CVE-2023-32314) bug in VM2 sandbox library

In the ever-evolving landscape of cybersecurity, two major vulnerabilities have surfaced, targeting the popular JavaScript sandbox library, VM2. With over 16 million monthly downloads, VM2 functions as a stronghold for multiple software, running untrusted code securely in a virtual environment, and preventing unauthorized access to system resources or external data.

The maintainers of the VM2 library swiftly patched these critical flaws, which, if exploited, could permit malicious actors to circumvent security boundaries, modify console logs, and execute arbitrary shellcodes. These vulnerabilities, identified as CVE-2023-32314 and CVE-2023-32313, were discovered by Takeshi Kaneko, a researcher at GMO Cybersecurity by Ierae, Inc.

CVE-2023-32314: Breaking Out of the Sandbox

The first vulnerability, CVE-2023-32314, carries a CVSS score of 9.8, indicating its critical nature. This sandbox escape vulnerability was present in VM2 versions up to 3.9.17, exploiting an unexpected creation of a host object based on the Proxy specification.

In essence, this vulnerability could allow a malicious entity to bypass the sandbox protections. Once these protections are sidestepped, the attacker could gain remote code execution rights on the host running the sandbox. This is a particularly dangerous situation, as it essentially hands the keys to the kingdom to the attacker, enabling them to execute arbitrary code on the target system.

Fortunately, the maintainers of VM2 have patched this vulnerability in version 3.9.18, preventing further exploits. However, it is worth noting that there are no known workarounds for this vulnerability.

CVE-2023-32313: Inspect Manipulation

The second vulnerability, CVE-2023-32313, carries a CVSS score of 5.3. This flaw enabled the malicious actor to manipulate the inspect method, allowing them to get a read-write reference to the Node.js inspect method and alter options for console.log.

While this flaw doesn’t present the same level of risk as the sandbox escape, it’s far from harmless. The ability to manipulate console.log options could be used for various malicious activities such as altering log files, creating misleading error messages, or even hiding an attacker’s activities.

The good news is that this vulnerability was also addressed in VM2 version 3.9.18. For users who cannot immediately upgrade, a viable workaround is to make the inspect method readonly after creating a VM. This can be achieved using the command: `vm.readonly(inspect)`.

Proof-of-Concept Exploit Code

Following the release of the patched VM2 version, Takeshi Kaneko published the exploit code for both CVE-2023-32314 and CVE-2023-32313 on GitHub [1, 2]. These repositories provide a valuable resource for understanding the mechanics of these vulnerabilities and the measures taken to mitigate them.

In conclusion, while the flaws in VM2 presented significant threats, the swift action of its maintainers and the cybersecurity research community at large has ensured that users can continue to trust and rely on this popular JavaScript sandbox library. However, this incident serves as a stark reminder of the critical importance of regular patching and the continuous vigilance required in the realm of cybersecurity.