Share
Enterprise tech giant Oracle released a collection of critical security patches this month to address 10 exploitable vulnerabilities in VirtualBox.
Both popular and powerful, VirtualBox is Oracle’s hypervisor, which allows users to run virtual machines on a user’s host operating system.
Affecting anyone using VirtualBox, the “easily exploitable” vulnerabilities allow a hacker to stage a “virtual machine escape” and attack the host operating system, TechRepublic reports.
The vulnerabilities are found in the core graphics framework that is mirrored between the host and guest machine. It affects all host operating systems, according to SecuriTeam. You can find an extensive and technical write-up of the exploits here.
The vulnerability in mirrored memory allows attackers to exploit the host operating system from the virtual machine.
This particular vulnerability, CVE-2018-2698, was found by independent security researcher Niklas Baumstark via Beyond Security’s SecuriTeam.
After Oracle issued patches and an announcement, Baumstark outlined the problems on Twitter:
CVE-2018-2698 is a powerful OOB read/write primitive in the (always-on) VBVA graphics component. It can be used to escape a VBox VM and escalate privs to SYSTEM on Windows 10 hosts. Since the patch is public now, definitely upgrade if you are running malicious code inside a VM. pic.twitter.com/2s4IWuNq3e
— Niklas B (@_niklasb) January 17, 2018
Oracle fixed some of my VBox bugs 🙂 CVE-2018-2694 was the macOS privilege escalation. strcpy into a fixed-size heap buffer… It's interesting this is even exploitable, my approach was to spray memory inside the guest which ends up at predictable addresses in the host process. pic.twitter.com/0A5doVXYnR
— Niklas B (@_niklasb) January 17, 2018
Oracle has a full list of vulnerabilities addressed by the January patches including patches addressing the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Intel processor vulnerabilities. Oracle is monitoring the performance impact of the patches in much the same way that other major vendors, including Amazon and Microsoft, are doing.
Oracle urges all VirtualBox users to apply the latest patches.