Expert discloses details of flaws in Oracle VirtualBox

Pierluigi Paganini November 24, 2021

A vulnerability in Oracle VM VirtualBox could be potentially exploited to compromise the hypervisor and trigger a denial-of-service (DoS) condition.

A vulnerability in Oracle VM VirtualBox, tracked as CVE-2021-2442, could be potentially exploited to compromise the hypervisor and trigger a DoS condition. The vulnerability was discovered by Max Van Amerongen from SentinelLabs, it received a CVSS score of 6.0 and affects versions prior to 6.1.24.

“Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox.” reads the advisory published by NIST.

The CVE-2021-2442 vulnerability was addressed by Oracle in July with the release of Critical Patch Update.

Amerongen also discovered other two vulnerabilities tracked as CVE-2021-2145 and CVE-2021-2310 respectively.

The CVE-2021-2145 is an integer underflow privilege escalation vulnerability in Oracle VirtualBox NAT, while the CVE-2021-2310 is a heap-based buffer overflow privilege escalation vulnerability in Oracle VirtualBox NAT.

The flaws are caused by the lack of proper validation of user input data, their exploitation can allow an attacker to escalate privileges and execute arbitrary code on the a vulnerable Oracle VM VirtualBox.

Both issues affect versions before 6.1.20 and have been addressed addressed by Oracle in April 2021.

“Offload support is commonplace in modern network devices so it’s only natural that virtualization software emulating devices does it as well. While most public research has been focused on their main components, such as ring buffers, offloads don’t appear to have had as much scrutiny. Unfortunately in this case I didn’t manage to get an exploit together in time for the Pwn2Own contest, so I ended up reporting the first two to the Zero Day Initiative and the checksum bug to Oracle directly.” wrote Van Amerongen

Businesses and organizations are recommended to update their VirtualBox installations to the latest version as soon as possible.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Oracle)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment