Researchers at Core Security uncovered a set of serious vulnerabilities affecting Oracle VirtualBox that can be targeted to remotely execute code.
VirtualBox is a virtualization software package for x86 and AMD64/Intel64-based computers. Among other capabilities, VirtualBox allows guest machines to use the host machine's GPU to render 3D graphics based on OpenGL or Direct3D APIs.
According to Core Security, there are multiple memory corruption vulnerabilities in the code that implements this feature for OpenGL graphics that permit an attacker who is already running code within a guest OS to escape from the virtual machine and execute code on the host.
"VirtualBox makes use of the Chromium open-source library (not to be confused with the open-source web browser) in order to provide 3D Acceleration for OpenGL graphics," Core Security explained in its advisory. "Chromium provides remote rendering of OpenGL graphics through a client/server model, in which a client (i.e. an OpenGL application) delegates the rendering to the server, which has access to 3D-capable hardware."
"When 3D Acceleration is enabled in VirtualBox, OpenGL apps running within a Guest OS (acting as Chromium clients) will send rendering commands to the Chromium server, which is running in the context of the hypervisor in the Host OS."
According to Core Security, the code that handles OpenGL rendering commands on the host side that is prone to the memory corruption vulnerabilities.
"The vulnerabilities are critical in the sense that they break one strong assumption we do about virtualization: that programs running inside a virtual machine (VM) are isolated from the host system that runs the virtualization software," explained Francisco Falcon from Core Security's Exploit Writers Team. "Having said that, the vulnerabilities depend on a non-default configuration: The vulnerabilities affect those VirtualBox virtual machines in which the 3D Acceleration feature has been enabled."
"A typical scenario," he said, "would be that of a malware analyst running a malware sample inside a VM to avoid infections on his physical system; the malware could leverage these vulnerabilities in order to break out of the isolation imposed by the Oracle virtualization software and escape from the VM, thus infecting the analyst's physical machine."
According to Core Security, Oracle VirtualBox v4.2.20 and earlier and Oracle VirtualBox v4.3.6 and earlier are known to be affected. Other versions may be affected as well but were not tested. VirtualBox v4.3.8 is not vulnerable. Oracle has not yet issued a patch for the 4.2x versions, Falcon said.
If patching is not possible, an effective mitigation would be to edit the configuration of the virtual machines and disable 3D Acceleration, Falcon said.