Expert discloses details of flaws in Oracle VirtualBox

A vulnerability in Oracle VM VirtualBox could be potentially exploited to compromise the hypervisor and trigger a denial-of-service (DoS) condition.

A vulnerability in Oracle VM VirtualBox, tracked as CVE-2021-2442, could be potentially exploited to compromise the hypervisor and trigger a DoS condition. The vulnerability was discovered by Max Van Amerongen from SentinelLabs, it received a CVSS score of 6.0 and affects versions prior to 6.1.24.

“Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox.” reads the advisory published by NIST.

The CVE-2021-2442 vulnerability was addressed by Oracle in July with the release of Critical Patch Update.

Amerongen also discovered other two vulnerabilities tracked as CVE-2021-2145 and CVE-2021-2310 respectively.

The CVE-2021-2145 is an integer underflow privilege escalation vulnerability in Oracle VirtualBox NAT, while the CVE-2021-2310 is a heap-based buffer overflow privilege escalation vulnerability in Oracle VirtualBox NAT.

The flaws are caused by the lack of proper validation of user input data, their exploitation can allow an attacker to escalate privileges and execute arbitrary code on the a vulnerable Oracle VM VirtualBox.

Both issues affect versions before 6.1.20 and have been addressed addressed by Oracle in April 2021.

“Offload support is commonplace in modern network devices so it’s only natural that virtualization software emulating devices does it as well. While most public research has been focused on their main components, such as ring buffers, offloads don’t appear to have had as much scrutiny. Unfortunately in this case I didn’t manage to get an exploit together in time for the Pwn2Own contest, so I ended up reporting the first two to the Zero Day Initiative and the checksum bug to Oracle directly.” wrote Van Amerongen

Businesses and organizations are recommended to update their VirtualBox installations to the latest version as soon as possible.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Oracle)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.