CVE-2022-36067
Bypass Sandbox Protection vulnerability in vm2 (npm)
What is CVE-2022-36067 About?
This vulnerability allows a threat actor to bypass sandbox protections in 'vm2' versions prior to 3.9.11, leading to remote code execution on the host machine. By exploiting a flaw in the sandbox setup, an attacker can escape the isolated environment. Exploitation is confirmed by a proof of concept.
Affected Software
Technical Details
The vulnerability in vm2 (prior to version 3.9.11) allows for a sandbox escape, enabling remote code execution on the host system. This is achieved by exploiting a flaw in the setup-sandbox.js file, specifically near line 71. The core issue likely involves an oversight in how the sandbox environment's global objects or prototypes are isolated or how internal module loading mechanisms are handled. An attacker can craft malicious code within the sandboxed environment that, due to incomplete or incorrect filtering/isolation, can access or manipulate the host's Node.js runtime or filesystem. This could involve triggering specific built-in functions, manipulating process objects, or leveraging JavaScript engine weaknesses to break out of the virtualized context and execute arbitrary commands on the underlying operating system.
What is the Impact of CVE-2022-36067?
Successful exploitation may allow attackers to bypass sandbox protections, leading to remote code execution on the host system where the sandboxed code is running.
What is the Exploitability of CVE-2022-36067?
Exploitation of this vulnerability is complex, as it requires understanding the internal workings of the vm2 sandbox to craft a reliable bypass. Authentication is typically not a direct factor, as the attack occurs within the context of executing code inside the sandbox, which might already be user-controlled. Privilege requirements relate to the permissions of the vm2 process itself on the host system. This is an attack that originates locally within the sandboxed environment, but the code that triggers it could be delivered remotely. Special conditions include the specific vm2 setup and potentially the Node.js version. The availability of a proof-of-concept significantly increases the likelihood of exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Prathamrajgor | Link | This repo contains payload for the CVE-2022-36067 |
| 0x1nsomnia | Link | PoC for CVE-2022-36067 |
What are the Available Fixes for CVE-2022-36067?
About the Fix from Resolved Security
The patch redefines the global Error property within the sandbox to use a controlled LocalError implementation, preventing user-supplied code from overriding Error with a malicious object. This mitigates sandbox escape by addressing the vulnerability in CVE-2022-36067, which allowed attackers to alter Error to access objects and properties outside the sandboxed environment.
Available Upgrade Options
- vm2
- <3.9.11 → Upgrade to 3.9.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164
- https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71
- https://osv.dev/vulnerability/GHSA-mrgp-mrhc-5jrq
- https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067
- https://github.com/patriksimek/vm2/issues/467
- https://github.com/patriksimek/vm2
- https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq
- https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71
- https://security.netapp.com/advisory/ntap-20221017-0002/
- https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164
What are Similar Vulnerabilities to CVE-2022-36067?
Similar Vulnerabilities: CVE-2020-15250 , CVE-2021-26701 , CVE-2021-23840 , CVE-2022-21674 , CVE-2022-23214
