{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/vm2--3.11.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["vm2 (\u003c= 3.11.0)"],"_cs_severities":["critical"],"_cs_tags":["sandbox-escape","vm2","code-execution"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eA critical vulnerability exists in vm2 versions 3.11.0 and below, specifically impacting the \u003ccode\u003eNodeVM\u003c/code\u003e when the \u003ccode\u003enesting: true\u003c/code\u003e option is enabled. This flaw allows untrusted code running within the sandbox to bypass the intended \u003ccode\u003erequire\u003c/code\u003e restrictions, even when \u003ccode\u003erequire: false\u003c/code\u003e is explicitly set. By exploiting this bypass, malicious code can gain access to the \u003ccode\u003evm2\u003c/code\u003e module itself, create a new inner \u003ccode\u003eNodeVM\u003c/code\u003e with unrestricted permissions, and ultimately execute arbitrary OS commands on the host system. This can lead to complete compromise of applications relying on vm2 for secure code execution, affecting multi-tenant platforms, REPL services, and CI sandboxing environments. The vulnerability stems from how \u003ccode\u003enesting: true\u003c/code\u003e overrides the \u003ccode\u003erequire\u003c/code\u003e settings during module resolution, silently allowing access to \u003ccode\u003evm2\u003c/code\u003e even when it should be blocked.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe host application creates a \u003ccode\u003eNodeVM\u003c/code\u003e instance with \u003ccode\u003enesting: true\u003c/code\u003e and \u003ccode\u003erequire: false\u003c/code\u003e (or a restrictive require list) to sandbox untrusted code.\u003c/li\u003e\n\u003cli\u003eThe untrusted code within the sandbox calls \u003ccode\u003erequire('vm2')\u003c/code\u003e. Due to the vulnerability, this succeeds despite the outer VM\u0026rsquo;s require restrictions.\u003c/li\u003e\n\u003cli\u003eThe sandbox code obtains the \u003ccode\u003eNodeVM\u003c/code\u003e constructor from the required \u003ccode\u003evm2\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eThe sandbox creates a new, inner \u003ccode\u003eNodeVM\u003c/code\u003e instance, specifying its own \u003ccode\u003erequire\u003c/code\u003e configuration to include \u003ccode\u003echild_process\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe inner \u003ccode\u003eNodeVM\u003c/code\u003e uses \u003ccode\u003echild_process.execSync()\u003c/code\u003e to execute an arbitrary OS command (e.g., \u003ccode\u003eid\u003c/code\u003e, \u003ccode\u003ewhoami\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe output of the executed command is converted to a string.\u003c/li\u003e\n\u003cli\u003eThe inner VM returns the command output to the outer VM.\u003c/li\u003e\n\u003cli\u003eThe outer VM returns the command output to the host application, effectively escaping the sandbox.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary OS commands as the user running the host Node.js process. This gives the attacker the ability to read and write files, potentially exfiltrate sensitive information (secrets, API keys, etc.), move laterally within the network the host resides on, and establish persistent access to the compromised system. Any application employing \u003ccode\u003evm2\u003c/code\u003e with \u003ccode\u003enesting: true\u003c/code\u003e to isolate untrusted code is vulnerable. This includes multi-tenant systems and CI/CD environments, posing a severe risk to infrastructure security. The vulnerability exists because developers expect \u003ccode\u003erequire: false\u003c/code\u003e to provide a solid sandbox restriction, but enabling \u003ccode\u003enesting: true\u003c/code\u003e silently overrides this expectation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade to a patched version of \u003ccode\u003evm2\u003c/code\u003e that addresses this vulnerability.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, avoid using \u003ccode\u003enesting: true\u003c/code\u003e in \u003ccode\u003eNodeVM\u003c/code\u003e configurations where untrusted code execution is involved.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect vm2 Nesting Sandbox Escape via Child Process\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to support the detection rules.\u003c/li\u003e\n\u003cli\u003eAudit existing \u003ccode\u003eNodeVM\u003c/code\u003e configurations within your applications to identify instances where \u003ccode\u003enesting: true\u003c/code\u003e is used in conjunction with restricted \u003ccode\u003erequire\u003c/code\u003e settings.\u003c/li\u003e\n\u003cli\u003eConsider alternative sandboxing solutions that offer more robust module isolation if \u003ccode\u003evm2\u003c/code\u003e cannot be adequately secured.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-28T12:00:00Z","date_published":"2024-01-28T12:00:00Z","id":"/briefs/2024-01-28-vm2-sandbox-escape/","summary":"A vulnerability in vm2's NodeVM, when nesting is enabled, allows sandbox code to bypass require restrictions, enabling arbitrary OS command execution on the host.","title":"vm2 NodeVM Nesting Bypass Allows Arbitrary Command Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-28-vm2-sandbox-escape/"}],"language":"en","title":"CraftedSignal Threat Feed — Vm2 (\u003c= 3.11.0)","version":"https://jsonfeed.org/version/1.1"}