The two the flaws – CVE-2023-29199 and CVE-2023-30547 – are rated 9.8 out of 10 on the CVSS scoring process and have been resolved in variations 3.9.16 and 3.9.17, respectively.
Effective exploitation of the bugs, which permit an attacker to increase an unsanitized host exception, could be weaponized to escape the sandbox and run arbitrary code in the host context.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“A menace actor can bypass the sandbox protections to get remote code execution legal rights on the host working the sandbox,” the maintainers of the vm2 library explained in an inform.
Credited with finding and reporting the vulnerabilities is security researcher SeungHyun Lee, who has also launched proof-of-concept (PoC) exploits for the two issues in issue.
The disclosure arrives a small about a week just after vm2 remediated an additional sandbox escape flaw (CVE-2023-29017, CVSS rating: 9.8) that could guide to the execution of arbitrary code on the underlying method.
It truly is worthy of noting that researchers from Oxeye thorough a critical remote code execution vulnerability in vm2 late last yr (CVE-2022-36067, CVSS rating: 9.8) that was codenamed Sandbreak.
Found this write-up appealing? Adhere to us on Twitter and LinkedIn to go through more unique material we publish.
Some pieces of this post are sourced from: