Now we’re writing to let you know about a similar-but-different hole in the same sandbox toolkit, and urging you to update
vm2 if you use (or are responsible for building) any products that depend on this package.
As you’ve probably guessed, VM is short for virtual machine, a name often used to describe what you might call a “software computer” that helps you to run applications in a restricted way, under more careful control than would be possible if you gave those applications direct access to the underlying operating system and hardware.
And the word sandbox is another way of referring to a stripped-down and regulated runtime environment that an application thinks is the real deal, but which cocoons the app to restrict its ability to perform dangerous actions, whether through incompetence or malice.
Trapped in an artificial reality
For example, an app might expect to be able to find and open the system-wide user database file
/etc/passwd, and might report an error and refuse to go further if it can’t.
In some cases, you might be happy with that, but you might decide (for safety as much as for security) to run the app in a sandbox where it can open a file that answers to the name
/etc/passwd, but that is actually a stripped-down or mocked-up copy of the real file.
Likewise, you might want to corral all the network requests made by the app so that it thinks it has unfettered access to the internet, and behaves programmatically as though it does…
.. while in fact it is communicating through what amounts a network simulator that keeps the app inside a well-regulated walled garden, with content and behaviour you can control as you wish.
In short, and in keeping with the metaphor, you’re forcing the app to play in a sandbox of its own, which can help to protect you from possible harm caused by bugs, by malware code, or by ill-considered programming choices in the app itself – all without needing to modify or even recompile the app.
Browser-style sandboxing for servers
example.com, for instance, can’t peek at web data such as cookies or authentication tokens set by other sites.
Security error in an error handler
Unfortunately, this new CVE-2023-29017 bug in
…could be tricked into running code of your choice if you deliberately provoked an error in order to triggger the buggy function.
Simply put, “a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.”
vm2 and execute arbitrary shellcode.”
The sample exploit snippets show how to run any command you like in a system shell, as you could with the C function
system(), the Python function
os.system(), or Lua’s
What to do?
…so take the hint, and update as soon as you can if you have any apps that rely on
The bug was patched in
vm2 version 3.9.15, which came out at 2023-04-06T18:46:00Z.
Note: this patch was quickly followed by another update to 3.9.16 to patch a second sandbox escape subsequently reported by the same researcher, and announced in a follow-up security advisory published at 2023-04-11T11:41:00Z. [This article was updated at 2023-04-12T08:28:00Z.]
So, make sure you have
vm2 version 3.9.16 or later.
If you use any server-side
vm2 or not, contact your vendor for advice.