CVE-2023-29199
published 2023-04-14CVE-2023-29199: There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass…
PriorityP272critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
3.82%
88.7th percentile
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2`.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| patriksimek | vm2 | < 3.9.16 | 3.9.16 |
| vm2_project | vm2 | < 3.9.16 | 3.9.16 |
| vm2_project | vm2 | >= 0 < 3.9.16 | 3.9.16 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability exists in the source code transformer's exception sanitization logic of vm2; look for attempts to trigger exception handling paths that bypass `handleException()` to leak unsanitized host exceptions ↗
- →Monitor for unexpected remote code execution originating from processes running inside a vm2 sandbox, particularly on hosts running vm2 versions <= 3.9.15 ↗
- →Audit deployments of rhacm2/console-rhel8 (Red Hat Advanced Cluster Management for Kubernetes 2) for use of vulnerable vm2 versions up to 3.9.15 ↗
- ·No mitigation is currently available from Red Hat; patching to vm2 version 3.9.16 is the only confirmed fix ↗
- ·The vulnerability is specifically in the exception sanitization logic of the source code transformer component of vm2, not the sandbox isolation layer itself — detection should focus on exception-handling bypass patterns ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
vm2 Sandbox Escape vulnerability
osv·2023-04-12
CVE-2023-29199 [CRITICAL] vm2 Sandbox Escape vulnerability
vm2 Sandbox Escape vulnerability
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context.
### Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
### Patches
This vulnerability was patched in the release of version `3.9.16` of `vm2`.
### Workarounds
None.
### References
Github Issue - https://github.com/patriksimek/vm2/issues/516
PoC - https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c
### For more information
If you have any questions or comments about this advisory:
GHSA
vm2 Sandbox Escape vulnerability
ghsa·2023-04-12
CVE-2023-29199 [CRITICAL] CWE-913 vm2 Sandbox Escape vulnerability
vm2 Sandbox Escape vulnerability
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context.
### Impact
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
### Patches
This vulnerability was patched in the release of version `3.9.16` of `vm2`.
### Workarounds
None.
### References
Github Issue - https://github.com/patriksimek/vm2/issues/516
PoC - https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c
### For more information
If you have any questions or comments about this advisory:
Red Hat
vm2: Sandbox Escape
vendor_redhat·2023-04-08·CVSS 9.8
CVE-2023-29199 [CRITICAL] CWE-755 vm2: Sandbox Escape
vm2: Sandbox Escape
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2`.
A flaw was found in the vm2 sandbox. When exception handling is triggered, the sanitization logic is not managed with proper exception handling. This issue may allow an attacker to bypass the sandbox protections which can lead to remote code execution on the hypervisor host or the host which is
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187chttps://github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7https://github.com/patriksimek/vm2/issues/516https://github.com/patriksimek/vm2/releases/tag/3.9.16https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187chttps://github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7https://github.com/patriksimek/vm2/issues/516https://github.com/patriksimek/vm2/releases/tag/3.9.16https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985
2023-04-14
Published