Privilege escalation in Oracle Virtualbox
| Risk | Low |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | N/A |
| CWE-ID | CWE-121 CWE-122 CWE-191 |
| Exploitation vector | Local network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
Oracle VM VirtualBox Server applications / Virtualization software |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Privilege escalation
EUVDB-ID: #VU15740
Risk: Low
CVSSv4.0: 7.1 [CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
Description
The vulnerability allows an adjacent attacker to gain elevated privileges on the target system.
The weakness exists in a shared code base of the virtualization software on virtual machines configured with the Intel PRO/1000 MT Desktop (82540EM) network adapter in Network Address Translation (NAT) mode due to default setup that may lead to multiple boundary errors. An adjacent attacker can trigger an integer underflow condition using packet descriptors - data segments that allow the network adapter to track network packet data in the system memory, to read data from the guest OS to cause heap-based buffer overflow that may lead to overwriting function pointers; or to cause a stack overflow condition.
Successful exploitation of the vulnerability allows an adjacent attacker with root/administrator privileges to escape the virtual environment of the guest machine and reach the Ring 3 privilege layer to escalate privileges to ring 0 via /dev/vboxdrv.
Mitigation
Until the patched VirtualBox build is out you can change the network card of your virtual machines to PCnet (either of two) or to Paravirtualized Network. If you can't, change the mode from NAT to another one. The former way is more secure.
Vulnerable software versionsOracle VM VirtualBox: 5.0.7 - 5.2.20
CPE2.3- cpe:2.3:a:oracle:vm_virtualbox:5.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:vm_virtualbox:5.1.36:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:vm_virtualbox:5.2.20:*:*:*:*:*:*:*
https://github.com/MorteNoir1/virtualbox_e1000_0day
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
