Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: a RCE vulnerability in VM2 Javascript library could lead to a sandbox escape, POC is available, patch immediately!
Image
Veröffentlicht : 16/05/2023
Reference:
Advisory #2023-57
Version:
1.0
Affected software:
All Java vm2 versions prior to version 3.9.18
Type:
Remote code execution (RCE) & defense evasion
CVE/CVSS:
CVE-2023-32314, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-32313, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Sources
https://github.com/patriksimek/vm2/security/advisories
Risks
Two critical vulnerabilities (CVE-2023-32313
and CVE-2023-32314) were patched in the release of new versions of the vm2 JavaScript sandbox library.
Successful exploitation of CVE-2023-32314 allows a threat actor to bypass the sandbox protections and gain remote code execution rights on the host running the sandbox.
Successful exploitation of CVE-2023-32313 allows a treat actor to interact with the logging capabilties and hide its activity during an attack.
Successful exploitation has a high impact on Confidentiality, Integrity and Availability.
Proof of concept code is published, near future exploitation is highly likely.
The Centre for Cybersecurity Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity.
If you have already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident
Description
Vm2 is a well-known JavaScript sandbox library that is used by software, including IDEs, code editors, and various security tools. It allows partial code execution on isolated Node.js servers while securing system resources and external data from unauthorized access.
CVE-2023-32314 is a critical sandbox escape vulnerability that abuses an unexpected creation of a host object based on the specification of proxy.
CVE-2023-32313 is defense evasion vulnerability where an attacker can get a read-write reference to the node inspect method and edit options for the console's log function. This enables a threat actor to evade detection for instance by creating misleading error messages and hiding its tracks.
Recommended Actions
The Centre for Cybersecurity Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity.
Patches are available in the release of new versions of vm2 JavaScript sandbox library
If you have already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident