logo
banner

Unpatched VM2 RCE Vulnerabilities Actively Exploited

Unpatched vulnerabilities in VM2 pose a significant threat to systems running this sandbox environment. Recent critical flaws, such as CVE-2023-29017 and CVE-2022-36067, have allowed threat actors to bypass sandbox protections and gain unauthorized access, potentially compromising sensitive data.

Implementing the latest patches, like version 3.9.15, is crucial for organizations to mitigate these security risks. Failure to address these vulnerabilities promptly could result in unauthorized code execution and severe consequences for system integrity.

Overview of Unpatched VM2 Vulnerabilities

There are two unpatched vulnerabilities in the VM2 sandbox, which threat actors are actively exploiting.

The first vulnerability, identified as CVE-2023-29017, affects versions of vm2 before 3.9.15. This vulnerability allows threat actors to bypass the sandbox's protections, potentially leading to remote code execution on the host system. The issue arises from the improper handling of host objects passed to `Error.prepareStackTrace` in the event of unhandled async errors.

The severity of this vulnerability is classified as critical, with a CVSS 3.x score of 9.8, according to NIST. The score indicates a high likelihood of successful exploitation and a significant impact on the affected system's confidentiality, integrity, and availability. Although the vulnerability has been patched in vm2 version 3.9.15, there are no known workarounds for earlier versions.

The second vulnerability, identified as CVE-2022-36067, affects versions of vm2 before 3.9.11. This vulnerability also enables threat actors to bypass the sandbox's protections, resulting in potential remote code execution on the host system. The severity of this vulnerability is also classified as critical, with a CVSS 3.x score of 10.0, according to both NIST and the CNA (GitHub, Inc.).

Users of the vm2 sandbox must update to the latest patched version to mitigate these vulnerabilities and prevent potential exploitation by threat actors.

Impact and Exploitation of Unpatched VM2 Vulnerabilities

The impact and exploitation of the unpatched VM2 vulnerabilities pose significant risks to sandbox users. These vulnerabilities allow threat actors to bypass the sandbox protections and gain remote code execution rights on the host running the sandbox.

One such vulnerability, CVE-2023-29017, was present in vm2 versions before 3.9.15. In these versions, the sandbox did not handle host objects properly when unhandled async errors occurred, allowing malicious actors to exploit the vulnerability.

Similarly, CVE-2022-36067, found in versions before 3.9.11, also allowed threat actors to bypass sandbox protections and execute arbitrary code on the host system. The severity of these vulnerabilities is classified as critical, with a CVSS base score of 9.8 for CVE-2023-29017 and 10.0 for CVE-2022-36067.

It is essential for sandbox users to promptly apply the necessary patches to mitigate the risks associated with these vulnerabilities. Failure to do so could result in unauthorized remote code execution, potentially compromising the host system and sensitive data.

Conclusion

In conclusion, organizations utilizing VM2 must promptly update to the latest patched version to mitigate the risks posed by unpatched vulnerabilities.

The critical flaw addressed in the latest version, CVE-2023-29017, allowed threat actors to bypass sandbox protections and gain remote code execution privileges.

Similarly, the vulnerability CVE-2022-36067 in an earlier version enabled unauthorized access and the execution of malicious code.

Failure to address these vulnerabilities could result in severe consequences, including unauthorized code execution and potential compromise of sensitive data.