Exploit available for critical RCE (CVE-2023-32314) bug in VM2 sandbox library
The maintainers of the VM2 library swiftly patched these critical flaws, which, if exploited, could permit malicious actors to circumvent security boundaries, modify console logs, and execute arbitrary shellcodes. These vulnerabilities, identified as CVE-2023-32314 and CVE-2023-32313, were discovered by Takeshi Kaneko, a researcher at GMO Cybersecurity by Ierae, Inc.
CVE-2023-32314: Breaking Out of the Sandbox
The first vulnerability, CVE-2023-32314, carries a CVSS score of 9.8, indicating its critical nature. This sandbox escape vulnerability was present in VM2 versions up to 3.9.17, exploiting an unexpected creation of a host object based on the Proxy specification.
In essence, this vulnerability could allow a malicious entity to bypass the sandbox protections. Once these protections are sidestepped, the attacker could gain remote code execution rights on the host running the sandbox. This is a particularly dangerous situation, as it essentially hands the keys to the kingdom to the attacker, enabling them to execute arbitrary code on the target system.
Fortunately, the maintainers of VM2 have patched this vulnerability in version 3.9.18, preventing further exploits. However, it is worth noting that there are no known workarounds for this vulnerability.
CVE-2023-32313: Inspect Manipulation
The second vulnerability, CVE-2023-32313, carries a CVSS score of 5.3. This flaw enabled the malicious actor to manipulate the inspect method, allowing them to get a read-write reference to the Node.js inspect method and alter options for console.log.
While this flaw doesn’t present the same level of risk as the sandbox escape, it’s far from harmless. The ability to manipulate console.log options could be used for various malicious activities such as altering log files, creating misleading error messages, or even hiding an attacker’s activities.
The good news is that this vulnerability was also addressed in VM2 version 3.9.18. For users who cannot immediately upgrade, a viable workaround is to make the inspect method readonly after creating a VM. This can be achieved using the command: `vm.readonly(inspect)`.
Proof-of-Concept Exploit Code
Following the release of the patched VM2 version, Takeshi Kaneko published the exploit code for both CVE-2023-32314 and CVE-2023-32313 on GitHub [1, 2]. These repositories provide a valuable resource for understanding the mechanics of these vulnerabilities and the measures taken to mitigate them.