Connect with us

Hi, what are you looking for?



Researcher Drops Oracle VirtualBox Zero-Day

A researcher has disclosed the details of a zero-day vulnerability affecting Oracle’s VirtualBox virtualization software. The flaw appears serious as exploitation can allow a guest-to-host escape.

A researcher has disclosed the details of a zero-day vulnerability affecting Oracle’s VirtualBox virtualization software. The flaw appears serious as exploitation can allow a guest-to-host escape.

Russian researcher Sergey Zelenyuk discovered the security hole and he decided to make his findings public before giving Oracle the chance to release a patch due to his “disagreement with [the] contemporary state of infosec, especially of security research and bug bounty.”

According to Zelenyuk, the vulnerability affects VirtualBox 5.2.20 and prior versions – 5.2.20 is the latest version, released on October 16 – and it can be exploited on any host or guest operating system as the underlying bugs affect shared code. The expert has tested his exploit, which he claims is “100% reliable,” on Ubuntu 16.04 and 18.04 x86-64 guests, but he believes the attack also works against Windows.

An attack can only be carried out against virtual machines using an Intel PRO/1000 MT Desktop (82540EM) network card (E1000), with network address translation (NAT) enabled, which is the default configuration.

The security hole, caused by memory corruption bugs, allows an attacker with root or administrator privileges to the guest system to escape to the host userland (ring 3). From there, they may be able to obtain kernel privileges (ring 0) on the host by exploiting other vulnerabilities. Exploitation starts by loading a Linux kernel module (LKM) in the guest operating system.

“Elevated privileges are required to load a driver in both OSs. It’s common and isn’t considered an insurmountable obstacle. Look at Pwn2Own contest where researchers use exploit chains: a browser opened a malicious website in the guest OS is exploited, a browser sandbox escape is made to gain full ring 3 access, an operating system vulnerability is exploited to pave a way to ring 0, where there is anything you need to attack a hypervisor from the guest OS,” the researcher explained in a post on GitHub.

“The most powerful hypervisor vulnerabilities are for sure those that can be exploited from guest ring 3. There in VirtualBox is also such code that is reachable without guest root privileges, and it’s mostly not audited yet,” he added.

While some agree with Zelenyuk regarding the current state of bug bounty programs, others questioned his decision.

Advertisement. Scroll to continue reading.

Contacted by SecurityWeek, Oracle declined to comment and instead pointed to its vulnerability disclosure policies

Until a patch is made available, users can protect themselves against potential attacks by changing the network card on their virtual machines to AMD PCnet or a paravirtualized network adapter. Another mitigation involves avoiding the use of NAT, Zelenyuk said.

The researcher has published a video showing the exploit in action:

VirtualBox E1000 Guest-to-Host Escape from Sergey Zelenyuk on Vimeo.

*Updated with response from Oracle


Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.