Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle VirtualBox Memory Corruption Vulnerabilities Uncovered

Researchers at Core Security uncovered a set of serious vulnerabilities affecting Oracle VirtualBox that can be targeted to remotely execute code.

VirtualBox is a virtualization software package for x86 and AMD64/Intel64-based computers. Among other capabilities, VirtualBox allows guest machines to use the host machine’s GPU to render 3D graphics based on OpenGL or Direct3D APIs.

Researchers at Core Security uncovered a set of serious vulnerabilities affecting Oracle VirtualBox that can be targeted to remotely execute code.

VirtualBox is a virtualization software package for x86 and AMD64/Intel64-based computers. Among other capabilities, VirtualBox allows guest machines to use the host machine’s GPU to render 3D graphics based on OpenGL or Direct3D APIs.

According to Core Security, there are multiple memory corruption vulnerabilities in the code that implements this feature for OpenGL graphics that permit an attacker who is already running code within a guest OS to escape from the virtual machine and execute code on the host.

“VirtualBox makes use of the Chromium open-source library (not to be confused with the open-source web browser) in order to provide 3D Acceleration for OpenGL graphics,” Core Security explained in its advisory. “Chromium provides remote rendering of OpenGL graphics through a client/server model, in which a client (i.e. an OpenGL application) delegates the rendering to the server, which has access to 3D-capable hardware.”

“When 3D Acceleration is enabled in VirtualBox, OpenGL apps running within a Guest OS (acting as Chromium clients) will send rendering commands to the Chromium server, which is running in the context of the hypervisor in the Host OS.”

According to Core Security, the code that handles OpenGL rendering commands on the host side that is prone to the memory corruption vulnerabilities.

“The vulnerabilities are critical in the sense that they break one strong assumption we do about virtualization: that programs running inside a virtual machine (VM) are isolated from the host system that runs the virtualization software,” explained Francisco Falcon from Core Security’s Exploit Writers Team. “Having said that, the vulnerabilities depend on a non-default configuration: The vulnerabilities affect those VirtualBox virtual machines in which the 3D Acceleration feature has been enabled.”

“A typical scenario,” he said, “would be that of a malware analyst running a malware sample inside a VM to avoid infections on his physical system; the malware could leverage these vulnerabilities in order to break out of the isolation imposed by the Oracle virtualization software and escape from the VM, thus infecting the analyst’s physical machine.”

Advertisement. Scroll to continue reading.

According to Core Security, Oracle VirtualBox v4.2.20 and earlier and Oracle VirtualBox v4.3.6 and earlier are known to be affected. Other versions may be affected as well but were not tested. VirtualBox v4.3.8 is not vulnerable. Oracle has not yet issued a patch for the 4.2x versions, Falcon said. 

If patching is not possible, an effective mitigation would be to edit the configuration of the virtual machines and disable 3D Acceleration, Falcon said. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.