Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle VirtualBox Memory Corruption Vulnerabilities Uncovered

Researchers at Core Security uncovered a set of serious vulnerabilities affecting Oracle VirtualBox that can be targeted to remotely execute code.

VirtualBox is a virtualization software package for x86 and AMD64/Intel64-based computers. Among other capabilities, VirtualBox allows guest machines to use the host machine’s GPU to render 3D graphics based on OpenGL or Direct3D APIs.

Researchers at Core Security uncovered a set of serious vulnerabilities affecting Oracle VirtualBox that can be targeted to remotely execute code.

VirtualBox is a virtualization software package for x86 and AMD64/Intel64-based computers. Among other capabilities, VirtualBox allows guest machines to use the host machine’s GPU to render 3D graphics based on OpenGL or Direct3D APIs.

According to Core Security, there are multiple memory corruption vulnerabilities in the code that implements this feature for OpenGL graphics that permit an attacker who is already running code within a guest OS to escape from the virtual machine and execute code on the host.

“VirtualBox makes use of the Chromium open-source library (not to be confused with the open-source web browser) in order to provide 3D Acceleration for OpenGL graphics,” Core Security explained in its advisory. “Chromium provides remote rendering of OpenGL graphics through a client/server model, in which a client (i.e. an OpenGL application) delegates the rendering to the server, which has access to 3D-capable hardware.”

“When 3D Acceleration is enabled in VirtualBox, OpenGL apps running within a Guest OS (acting as Chromium clients) will send rendering commands to the Chromium server, which is running in the context of the hypervisor in the Host OS.”

According to Core Security, the code that handles OpenGL rendering commands on the host side that is prone to the memory corruption vulnerabilities.

Advertisement. Scroll to continue reading.

“The vulnerabilities are critical in the sense that they break one strong assumption we do about virtualization: that programs running inside a virtual machine (VM) are isolated from the host system that runs the virtualization software,” explained Francisco Falcon from Core Security’s Exploit Writers Team. “Having said that, the vulnerabilities depend on a non-default configuration: The vulnerabilities affect those VirtualBox virtual machines in which the 3D Acceleration feature has been enabled.”

“A typical scenario,” he said, “would be that of a malware analyst running a malware sample inside a VM to avoid infections on his physical system; the malware could leverage these vulnerabilities in order to break out of the isolation imposed by the Oracle virtualization software and escape from the VM, thus infecting the analyst’s physical machine.”

According to Core Security, Oracle VirtualBox v4.2.20 and earlier and Oracle VirtualBox v4.3.6 and earlier are known to be affected. Other versions may be affected as well but were not tested. VirtualBox v4.3.8 is not vulnerable. Oracle has not yet issued a patch for the 4.2x versions, Falcon said. 

If patching is not possible, an effective mitigation would be to edit the configuration of the virtual machines and disable 3D Acceleration, Falcon said. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.