#VU74606 Improper Control of Dynamically-Managed Code Resources in vm2
Vulnerability identifier: #VU74606
Vulnerability risk: High
CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-913
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
vm2
Web applications /
Modules and components for CMS
Vendor: Patrik Simek
Description
The vulnerability allows a remote attacker to escape sandbox restrictions.
The vulnerability exists due to improper handling of host objects passed to "Error.prepareStackTrace" in case of unhandled async errors. A remote attacker can pass specially crafted input to the application, escape sandbox restrictions and execute arbitrary code on the host.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
vm2: 3.9.0 - 3.9.14
External links
http://github.com/patriksimek/vm2/issues/515
http://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50
http://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d
http://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
