Oracle VirtualBox Zero-Day Vulnerability Leaked by Annoyed ResearcherNovember 15, 2018
Written by David Marshall
An independent researcher has discovered what he reports to be a zero-day vulnerability in VirtualBox, a popular general-purpose virtualization platform targeted at server, desktop and embedded use.
What’s interesting here is that the researcher chose to publicly disclose the security hole rather than privately inform the vendor, which in the case of VirtualBox is Oracle. He justified this act by calling it a reaction to his previous bad experience with Oracle. Last year, he found and reported a vulnerability that took almost 15 months for the vendor to release a fix. So this time, he took a different path of notification.
Sergey Zelenyuk, the Russian researcher, said he discovered a security flaw in Oracle’s VM VirtualBox that would allow someone to escape from the virtual environment of the guest machine to reach the Ring 3 privilege layer used for running code from most user programs with the least privileges. The zero-day vulnerability could allow an attacker with root access to then gain access to the underlying OS.
The vulnerability is reported to exist in VirtualBox 5.2.20 and prior versions.
Zelenyuk shared his findings in a write-up on Github, providing details of the exploit. He allegedly tested the Intel PRO/1000 MT Desktop (82540EM) network adapter in Network Address Translation (NAT) mode, referring to it as VirtualBox E1000. He described the exploit as "100% reliable," adding that "it either works always or never because of mismatched binaries or other, more subtle reasons I didn’t account."
Craig Young, a computer security researcher at Tripwire’s VERT (Vulnerability and Exposure Research Team), told VMblog that the vulnerability is in the implementation of a virtual Intel E1000 compatible network adapter.
"The write-up demonstrates how an attacker with permissions to load Linux kernel modules in a VirtualBox guest environment can achieve low-privileged code execution on the host OS which can then be elevated to gain administrative access to the host," said Young. "Anyone using VirtualBox for accessing untrusted content (malware analysts for example) should immediately review their machine profiles and at least temporarily discontinue use of the E1000 device in favor of the PCNET adapter."
Young went on to warn that users should avoid running any less than trustworthy applications in any VirtualBox environment with E1000 enabled until Oracle is able to release a fix.
As a work around until a patch is made available by the vendor, Zelenyuk recommends the following:
"Until the patched VirtualBox build is out you can change the network card of your virtual machines to PCnet (either of two) or to Paravirtualized Network. If you can’t, change the mode from NAT to another one. The former way is more secure."
Besides a detailed write-up of the entire exploit, Zelenyuk also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
About the Author
David Marshall is an industry recognized virtualization and cloud computing expert, a ten time recipient of the VMware vExpert distinction, and has been heavily involved in the industry for the past 20 years. To help solve industry challenges, he co-founded and helped start several successful virtualization software companies such as ProTier, Surgient, Hyper9 and Vertiscale. He also spent a few years transforming desktop virtualization while at Virtual Bridges.
David is also a co-author of two very popular server virtualization books: "Advanced Server Virtualization: VMware and Microsoft Platforms in the Virtual Data Center" and "VMware ESX Essentials in the Virtual Data Center" and the Technical Editor on Wiley’s "Virtualization for Dummies" and "VMware VI3 for Dummies" books. David also authored countless articles for a number of well known technical magazines, including: InfoWorld, Virtual-Strategy and TechTarget. In 2004, he founded the oldest independent virtualization and cloud computing news site, VMblog.com, which he still operates today.
Follow David Marshall