Discontinued #533
Comments
|
Sorry to hear that @XmiliaH @patriksimek The migration to |
|
@XmiliaH can you disclose if there are any non-published escape vulnerabilities against VM2? Did someone disclose a sandbox escape thats too hard to fix with current architecture? It would be helpful to know if we can expect someone to publish a PoC or CVE soon since this was announced. |
|
Xion (SeungHyun Lee) of KAIST Hacking Lab found the vulnerabilities I am not able to fix without changing the whole sandboxing strategy. So there are currently non-published escape vulnerabilities that affects everyone who uses this library to run untrusted code. I do not know if and when they intend to make the vulerability public. |
|
Thank you for the quick reply @XmiliaH - This is very helpful information. It is unfortunate that you can not address them but understandable. This is a lot to ask but do you know if isolated-vm would be likely vulnerable to similar vulnerabilities? |
|
The problems that piled up are caused by |
I am willing to disclose the specifics including PoC sooner than later, but we would either need to publish a CVE or deprecate the library on npm in advance (preferrably both for clarity) so that scanners/alerts like |
|
I cannot create security advisories, so I cannot publish a CVE. However, I might be able to deprecate the library on npm but would prefer @patriksimek to do both. |
|
@XmiliaH I will take care of that tomorrow, along with some more messaging. |
|
Thanks @patriksimek and @XmiliaH - I see there is an unpatched RCE CVE for isolated-vm. It may not be a viable option for the community to move to. Are you aware of any other sandboxing alternatives? Since no VM2 patch will be possible, has KAIST Hacking Lab communicated any responsible disclosure timeline? Like 90 days or similar to give the community time to move to another solution? |
|
@AppSecSeanner The linked RCE in isolated-vm is only applicable when untrusted v8 cache data is passed through As for the responsible disclosure timeline, I have reported this issue in May 23, 2023 to vm2 maintainers. Maintainers and I have looked into this issue but have found no satisfactory solution, and ultimately decided to phase out the library. Specific disclosure timelines on my side has not been explicitly communicated in advance as the maintainers were very prompt and clear with their responses, and I did not feel the need for a specific disclosure policy. The library has now been officially deprecated, and we are preparing security advisories for the issues. The problem here is that publishing public advisories (CVEs) for the bug ASAP is usually good practice, but in this case I believe that even without an explicit PoC given the description itself is sufficient to write one. We are communicating to roll out an advisory while dealing with this issue but currently do not have fixed deadlines. |
|
Thank you @leesh3288 - This is very helpful information and I appreciate the transparency. I am not familiar with isolated-vm but what you shared makes sense, it looks like CachedDataOptions just exposes ExternalCopy some way. Thank you also for sharing the backstage blog and related information, this will be helpful to address concerns for anyone else in the community using Snyk. |
|
Advisories have been published, and the library has been deprecated. We agreed with @leesh3288 to disclose the PoC after 28 days from today to give teams time to migrate their projects. I am re-posting here what I put into the README. Dear community, It's been a truly remarkable journey for me since the vm2 project started nine years ago. The original intent was to devise a method for running untrusted code in Node, with a keen focus on maintaining in-process performance. Proxies, an emerging feature in JavaScript at that time, became our tool of choice for this task. From the get-go, we recognized the arduous task that lay ahead, as we tried to safeguard against the myriad of escape scenarios JavaScript presented. However, the thrill of the chase kept us going, hopeful that we could overcome these hurdles. Through the years, this project has seen numerous contributions from passionate individuals. I wish to extend my deepest gratitude to all of you. Special thanks go to @XmiliaH, whose unwavering dedication in maintaining and improving this library over the last 4 years was instrumental to its sustained relevance. Unfortunately, the growing complexity of Node has brought us to a crossroads. We now find ourselves facing an escape so complicated that fixing it seems impossible. And this isn't about one isolated issue. Recent reports have highlighted that sustaining this project in its current form is not viable in the long term. Therefore, we must announce the discontinuation of this project. You may wonder, "What now?" While this may seem like an end, I see it as an opportunity for you to transition your projects and adapt to a new solution. We would recommend migrating your code to the isolated-vm, a library which employs a slightly different, yet equally effective, approach to sandboxing untrusted code. Thank you all for your support and understanding during this journey. Warm Regards, |
|
Thank you, @leesh3288, for your security finding and @patriksimek and the rest of the maintainers for your continuous contribution to open source. |
|
Well. Couldnt you atleast consider providing a api compatible wrapper around isolated-vm? Then migrating would maybe easier and faster, for now. |
|
@Uzlopak While that would be really nice, considering this project's license, the project maintainers aren't liable to provide us with a migration path. not to mention that it would be not easy to create a fully-compatible wrapper on top of It might be better to look at how you were using |
|
Well. It should be atleast be motivated that there is a potential migration guide to the recommended module. Doesnt mean that the maintainers should do it but maybe somebody who uses vm2 and does the migration can atleast provide a PR with a migration guide. I personally dont use vm2 right now. But i saw in the security risk overview of our enterprise that it is popping up. I told my coworkers that vm2 is notorious for critical security issues because there is always an asian dev, who finds some way to break out of the sandbox, just to visit the npm page and see that vm2 got deprecated. |
|
In our case we are executing the untrusted code in a forked child process (then VM2 inside that) for additional isolation, and using IPC to communicate the result back to the main process. I notice these escapes are using "return process" as part of the escape. In our case we only use "process" for IPC back to the main Node process, and don't need it for anything else. If we set process = undefined in the JS code executing VM2, does that patch the hole or is "process" just 1 of many possible variables that could be used to escape the sandbox with these methods? Edit: |
|
@heberallred I believe that is the main problem the escape allows for many different opportunities and while you could shut down access to key methods this would be highly opinionated and that would go against the general purpose of this library and from that I understand the reason for being discontinued. As with yourself we already execute the VM in a more restrictive process that has additional isolations but still it isn't ideal so applying these extra restrictions in the code. Before this came to light we were looking at using a preprocessor to prevent code we don't want. |
|
For my purposes I was able to transfer to endo for secure execution of untrusted code. Just referencing here in case it works for others. |
|
@XmiliaH I'm just curious how come now you can easily find a bunch of security vulnerabilities that you couldn't find before? I mean there are years of work on this library, and no one could find these vulnerabilities before? |
|
I did not find a bunch of the vulnerabilities. I just fixed the ones reported. As for the last one I was able to find it after taking some time to check the fixes of other forks. |
|
I thought you found them, but that's not important, I mean, how is it possible that they're all coming up now, after years of work? |
|
Most of the new vulnerabilities are cause by node intercepting calls that should be handeled in native code which can be used to break out of the sandbox and I guess it was not found earlier since no one here looked into these cases. |
|
@XmiliaH is the topic of Sandboxing still interesting to you? have you had a look at https://github.com/tc39/proposal-ses ? |
|
I already looked at it some years ago. |
This is crazy, I would think that this is something that the maintainers would look into since it's obviously very important - so important that it just washes away years of work from the maintainers, as well as everyone else that integrated this package into their projects. |
|
I would love to look into all the details of node and v8, but I only have so much time. |
|
@XmiliaH Thanks for all the hard work on vm2. I am an entire novice in terms of deep understandings of Javascript and the ECMAScript specification, I am wondering would it be a sound temporary patch if I disallow all the code with the string I know this does not fix anything regarding breakouts, but to the use case that I was working on, if the code contain these strings, someone must be doing something tricky and I have the total rights to block it. |
|
@rklhui this wouldn't help, there are a lot of ways they can be called, like |
|
What about monkey patching child_process? Or just fork node repository and remove all the critical code you dont need. |
|
That could work. We tried restricting the sandbox and having a very limited sandbox (only Array and Object) globals are available. We tested it against all the posted vulnerabilities, and none of them were breaking the sandbox anymore. This works perfectly for our use case because we need to run some very basic code, so it's fine. |
true, how about if I override the require behaviour by extending the behaviour of native Module._load before running the vm2, like how https://github.com/gajus/override-require is doing. Then I could throw an error when the it is requiring things like "child_process" and stop this malignant code execution. Will this be a sound approach? |
Is there a way to list all that's available? I've found that I have to manually check every class according to the NodeJS documentation. |
|
Probably you just need to patch |
|
Recommend alternative |
and others
Do to security issues that cannot be properly addressed I (XmiliaH) will stop maintaining this library.
For a replacement look into isolated-vm.
The text was updated successfully, but these errors were encountered: