A vulnerability in Oracle VM VirtualBox, tracked as CVE-2021-2442, could be potentially exploited to compromise the hypervisor and trigger a DoS condition. The vulnerability was discovered by Max Van Amerongen from SentinelLabs, it received a CVSS score of 6.0 and affects versions prior to 6.1.24.
“Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox.” reads the advisory published by NIST.
The CVE-2021-2442 vulnerability was addressed by Oracle in July with the release of Critical Patch Update.
The CVE-2021-2145 is an integer underflow privilege escalation vulnerability in Oracle VirtualBox NAT, while the CVE-2021-2310 is a heap-based buffer overflow privilege escalation vulnerability in Oracle VirtualBox NAT.
The flaws are caused by the lack of proper validation of user input data, their exploitation can allow an attacker to escalate privileges and execute arbitrary code on the a vulnerable Oracle VM VirtualBox.
Both issues affect versions before 6.1.20 and have been addressed addressed by Oracle in April 2021.
“Offload support is commonplace in modern network devices so it’s only natural that virtualization software emulating devices does it as well. While most public research has been focused on their main components, such as ring buffers, offloads don’t appear to have had as much scrutiny. Unfortunately in this case I didn’t manage to get an exploit together in time for the Pwn2Own contest, so I ended up reporting the first two to the Zero Day Initiative and the checksum bug to Oracle directly.” wrote Van Amerongen
Businesses and organizations are recommended to update their VirtualBox installations to the latest version as soon as possible.
(SecurityAffairs – hacking, Oracle)