On 28 September GitHub published a security advisory for the Node.js library vm2, detailing a sandbox escape vulnerability assigned a severity rating of 10 as CVE-2022-36067. Called Sandbreak, the initial notification was received by developers of the package on 28 August, and was patched later that day as version 3.9.11. Vm2 is a Node.js package that enables the user to run untrusted code without risking compromise of the system running it. The vulnerability exploits a flaw in error handling to escape the sandbox and run shell commands on the system running vm2.
Companies should immediately identify all Node.js servers, check if they are running vm2, and, if so, verify a version older than 3.9.11 isn’t being used. A robust and well-resourced dependency and vulnerability management program will help identify issues like this sooner: dependency management tracks all dependencies that are required for business functions and when updates are available for them, and vulnerability management should function like change management for vulnerability mitigation and resolution. Dependency management should be well-resourced, as many software products are built upon hundreds or thousands of dependencies. Vulnerability scanners can help significantly with keeping up with the latest vulnerabilities and mitigations.
Additionally, virtual sandboxing alone should never be considered sufficient to protect against untrusted code. Companies should implement command-line logging in order to identify normal use-case for their applications and detect abnormal commands. Further protection can be achieved by separating instances running sandboxes from more business-critical instances, requiring more effort to successfully attack a network and more opportunities to detect the activity.