Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle VirtualBox Memory Corruption Vulnerabilities Uncovered

Researchers at Core Security uncovered a set of serious vulnerabilities affecting Oracle VirtualBox that can be targeted to remotely execute code.

VirtualBox is a virtualization software package for x86 and AMD64/Intel64-based computers. Among other capabilities, VirtualBox allows guest machines to use the host machine’s GPU to render 3D graphics based on OpenGL or Direct3D APIs.

Researchers at Core Security uncovered a set of serious vulnerabilities affecting Oracle VirtualBox that can be targeted to remotely execute code.

VirtualBox is a virtualization software package for x86 and AMD64/Intel64-based computers. Among other capabilities, VirtualBox allows guest machines to use the host machine’s GPU to render 3D graphics based on OpenGL or Direct3D APIs.

According to Core Security, there are multiple memory corruption vulnerabilities in the code that implements this feature for OpenGL graphics that permit an attacker who is already running code within a guest OS to escape from the virtual machine and execute code on the host.

“VirtualBox makes use of the Chromium open-source library (not to be confused with the open-source web browser) in order to provide 3D Acceleration for OpenGL graphics,” Core Security explained in its advisory. “Chromium provides remote rendering of OpenGL graphics through a client/server model, in which a client (i.e. an OpenGL application) delegates the rendering to the server, which has access to 3D-capable hardware.”

“When 3D Acceleration is enabled in VirtualBox, OpenGL apps running within a Guest OS (acting as Chromium clients) will send rendering commands to the Chromium server, which is running in the context of the hypervisor in the Host OS.”

According to Core Security, the code that handles OpenGL rendering commands on the host side that is prone to the memory corruption vulnerabilities.

“The vulnerabilities are critical in the sense that they break one strong assumption we do about virtualization: that programs running inside a virtual machine (VM) are isolated from the host system that runs the virtualization software,” explained Francisco Falcon from Core Security’s Exploit Writers Team. “Having said that, the vulnerabilities depend on a non-default configuration: The vulnerabilities affect those VirtualBox virtual machines in which the 3D Acceleration feature has been enabled.”

“A typical scenario,” he said, “would be that of a malware analyst running a malware sample inside a VM to avoid infections on his physical system; the malware could leverage these vulnerabilities in order to break out of the isolation imposed by the Oracle virtualization software and escape from the VM, thus infecting the analyst’s physical machine.”

Advertisement. Scroll to continue reading.

According to Core Security, Oracle VirtualBox v4.2.20 and earlier and Oracle VirtualBox v4.3.6 and earlier are known to be affected. Other versions may be affected as well but were not tested. VirtualBox v4.3.8 is not vulnerable. Oracle has not yet issued a patch for the 4.2x versions, Falcon said. 

If patching is not possible, an effective mitigation would be to edit the configuration of the virtual machines and disable 3D Acceleration, Falcon said. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.