virus logo Outbreak Alert

VM2 Sandbox Escape Vulnerability

Released: Nov 18, 2022

Updated: Apr 19, 2023

Download PDF »

VM2 Sandbox Escape

High Severity

Vulnerability Type

Subscribe

Critical flaws in a widely used JavaScript sandbox library

vm2 is a sandbox solution that can run untrusted code with whitelisted Node's built-in modules. Exploiting the flaws, threat actors can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. Learn More »

Common Vulnerabilities and Exposures

CVE-2022-36067
CVE-2023-29017
CVE-2023-29199
CVE-2023-30547

Background

According to NPM, vm2 package has over 3,500,000+ weekly downloads and because of its wide usage by other applications, it ultimately puts them at risk of exploitation. For example, according to a research, Backstage, an open platform for building developer portals uses vm2 and the research shows how it can be exploited leveraging the vm2 sandbox escape vulnerability. https://www.oxeye.io/blog/remote-code-execution-in-spotifys-backstage

Backstage platform is used by various organizations such as Netflix, Splunk, Spotify, Palo Alto Networks, Wealthsimple, etc.
https://github.com/backstage/backstage/blob/master/ADOPTERS.md

Threat Radar Overall Score:
CVSS Rating 10.0
FortiRecon Score 32/100
Known Exploited No
Exploit Prediction Score 4.69%
FortiGuard Telemetry 30

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


Aug 28, 2022: GitHub issued CVE-2022-36067 and released a public advisory.
https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq


Oct 10, 2022: The vulnerability (CVE-2022-36067) was disclosed and the issue was patched in version 3.9.11.
https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067

April 6, 2023: CVE-2023-29017 was discovered in version <= 3.9.14 and published with proof-of-concept (PoC) and vendor has provided the fix in vm2 version 3.9.15. https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv
https://github.com/patriksimek/vm2/releases/tag/3.9.15

April 14, 2023: CVE-2023-29199 was discovered and patched in the version 3.9.16 of vm2.
https://github.com/advisories/GHSA-xj72-wvfv-8985

April 17, 2023: CVE-2023-30547 was discovered and advisory released. The fix was provided in the version 3.9.17 of vm2.
https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m

FortiGuard Labs has updated the IPS signature (ID:52237) to detect and block attacks leveraging the vm2 sandbox vulnerabilities (CVE-2022-36067, CVE-2023-29017, CVE-2023-29199, CVE-2023-30547). Users are recommended to apply patch as per vendor's instructions.

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • IPS

  • Web App Security

DETECT

  • Outbreak Detection

  • Threat Hunting

  • Content Update

RESPOND

  • Assisted Response Services

  • Automated Response

RECOVER

  • InfoSec Services

IDENTIFY

  • Attack Surface Monitoring (Inside & Outside)

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...