CVE-2023-29017
sandbox bypass vulnerability in vm2 (npm)
What is CVE-2023-29017 About?
This vulnerability in vm2 allows a threat actor to bypass sandbox protections to achieve remote code execution. It occurs due to improper handling of host objects passed to `Error.prepareStackTrace` during unhandled async errors. Exploitation is highly impactful, granting full control over the host system.
Affected Software
Technical Details
The vm2 sandbox failed to properly handle host objects when these objects were passed to the Error.prepareStackTrace function in scenarios involving unhandled asynchronous errors. This specific oversight in the error handling mechanism creates a pathway that an attacker can leverage. By triggering an unhandled async error within the vm2 sandbox under specific conditions where host objects are involved in Error.prepareStackTrace, an attacker can escape the sandbox environment. This escape allows them to execute arbitrary code on the underlying host system, bypassing the isolation intended by the vm2 sandbox.
What is the Impact of CVE-2023-29017?
Successful exploitation may allow attackers to bypass sandbox protections and execute arbitrary code on the host system, leading to complete system compromise.
What is the Exploitability of CVE-2023-29017?
Exploitation requires the attacker to be able to execute code within the vm2 sandbox. The complexity lies in specifically crafting code that triggers an unhandled asynchronous error involving host objects passed to Error.prepareStackTrace. No authentication is required within the context of the sandbox itself, but the attacker must have a means to introduce and execute their malicious code inside the vm2 environment. This is a local privilege escalation within the sandbox, leading to remote code execution on the host machine. The likelihood of exploitation is increased if applications are handling untrusted input within vm2.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| timb-machine-mirrors | Link | Clone from gist |
| passwa11 | Link | PoC for CVE-2023-29017 |
What are the Available Fixes for CVE-2023-29017?
About the Fix from Resolved Security
The patch ensures stack trace arrays passed into the sandbox are either wrapped in the current sandbox context or deep-copied with proper CallSite objects, preventing prototype pollution from crafted input objects. This fixes CVE-2023-29017 by eliminating a sandbox escape vector where attackers could manipulate CallSite prototypes through sharing or tampering with stack trace arrays.
Available Upgrade Options
- vm2
- <3.9.15 → Upgrade to 3.9.15
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d
- https://github.com/patriksimek/vm2/issues/515
- https://github.com/patriksimek/vm2
- https://github.com/patriksimek/vm2/issues/515
- https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50
- https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv
- https://nvd.nist.gov/vuln/detail/CVE-2023-29017
- https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50
- https://osv.dev/vulnerability/GHSA-7jxr-cg7f-gpgv
- https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d
What are Similar Vulnerabilities to CVE-2023-29017?
Similar Vulnerabilities: CVE-2022-36067 , CVE-2022-36068 , CVE-2022-23746 , CVE-2021-23420 , CVE-2020-28267
