A researcher has allegedly discovered a zero-day vulnerability in VirtualBox. Though discovering zero-day bugs isn’t anything distinct, what makes this report interesting is that the researcher disclosed the flaw publicly without informing the vendors. So, we may not expect a patch anytime soon.
Zero-Day Vulnerability In VirtualBox
Reportedly, Russian researcher, Sergey Zelenyuk, discovered a security flaw in the Oracle’s VM VirtualBox. As explained, this zero-day vulnerability in VirtualBox can allow an attacker with root access to escape the virtual environment and gain access to the underlying OS.
Zelenyuk shared his findings in a detailed write-up on Github explaining the technicalities of the exploit. He allegedly tested the Intel PRO/1000 MT Desktop (82540EM), that he referred to as VirtualBox E1000. According to his report,
“The E1000 has a vulnerability allowing an attacker with root/administrator privileges in a guest to escape to a host ring3. Then the attacker can use existing techniques to escalate privileges to ring 0 via /dev/vboxdrv.”
The researcher confirmed that the vulnerability he found is reliably exploitable.
“The exploit is 100% reliable. It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn’t account. It works at least on Ubuntu 16.04 and 18.04 x86_64 guests with default configuration.”
He has also demonstrated the exploit in a video.
No Responsible Disclosure Followed
As the researcher explained in his report, he did not inform Oracle of the vulnerability before the disclosure. He justified this act by calling it a reaction to his previous bad experience with Oracle. Last year, he found and reported a vulnerability to Oracle that took around 15 months for the vendors to release a fix.
According to his findings, the zero-day affects the VirtualBox 5.2.20 and earlier versions. While Oracle released an update to this software on November 9, 2018, as VirtualBox 5.2.22, it did not mention anything about a possible fix for this zero-day flaw. It means that the vendors still have to release a fix.
Until a patch is available, Zelenyuk recommends some mitigations.
“Until the patched VirtualBox build is out you can change the network card of your virtual machines to PCnet (either of two) or to Paravirtualized Network. If you can’t, change the mode from NAT to another one. The former way is more secure.”
Take your time to comment on this article.