Node.js VM Sandbox Escape in OneUptime Leading to RCE
OneUptime's use of Node.js vm module for executing untrusted code allows sandbox escape and full cluster compromise, highlighting the risks of improper isolation mechanisms.
CVE References
Affected
The vulnerability arises from the use of Node.js's vm module to execute user-provided JavaScript code without proper validation or sandboxing. The vm.runInContext() method is not designed as a security mechanism, allowing malicious code to escape the sandbox and gain full process control. This leads to unauthorized access to sensitive environment variables and potential cluster-wide compromise.
The proof-of-concept demonstrates that any project member can inject arbitrary JavaScript, leading to complete system takeover. It underscores the importance of validating untrusted code inputs and using secure execution environments for such operations.
Monitor for unexpected process behavior, network traffic originating from probe instances, and unauthorized access attempts to sensitive resources. Implement logging and alerts for any changes in environment variable usage or unusual process activity within the probe.
Replace the use of vm module with a secure sandboxing solution designed for untrusted code execution. Enforce strict input validation on customCode, including AST analysis and keyword filtering to prevent malicious scripts from being executed.
The likelihood of exploitation is high due to the ease of achieving RCE and potential access to sensitive credentials. This makes it a critical vulnerability, especially for organizations managing clusters with valuable resources.
Sources