Oracle has released patches for ten vulnerabilities in VirtualBox which allow attackers to break out of guest operating systems and attack the host operating system that VirtualBox runs on. Exploits using this method, known as a “virtual machine escape,” have been the subject of intense interest among security researchers following the disclosure of the Venom vulnerability in 2015.

The vulnerabilities are collectively published as CVE-2018-2676, CVE-2018-2685, CVE-2018-2686, CVE-2018-2687, CVE-2018-2688, CVE-2018-2689, CVE-2018-2690, CVE-2018-2693, CVE-2018-2694, and CVE-2018-2698. While they all share the same resultant effect, the method involved–and subsequently the ease with which attackers can leverage the vulnerability–varies.

SEE: Network security policy (Tech Pro Research)

Shared memory interface vulnerability

Of particular interest is CVE-2018-2698, which was discovered by Niklas Baumstark, and reported by Beyond Security. This vulnerability exists in the core graphics framework of VirtualBox, and is exploitable on any host operating system. Specifically, the VGA device VirtualBox provides for guest operating systems is allocated VRAM, which is mirrored between the host process and guest kernel.

This memory serves double duty, as the host/guest shared memory interface (HGSMI) is handled through the VGA device. This component is used to share information between the guest and host operating systems, and also enables features like mouse pointer integration and seamless windows, which allow guest apps to run as an overlay on the host OS–a feature called “Unity” in VMware and “Coherence” on Parallels Desktop. HGSMI can also be used to copy data to VRAM. This copy ability provides attackers in the guest OS a means to read and write data out-of-bounds on the host.

According to Baumstark, this allows attackers to execute arbitrary operations on a Windows 10 host as SYSTEM.

VMM device communication breakout

Another VirtualBox component-vmmdev, the communications bridge between the host OS and the VirtualBox Guest Additions package-has a vulnerability that allows privilege escalation on Mac OS X hosts. This is covered by CVE-2018-2694.

Similarly, a vulnerability in the Guest Additions itself in CVE-2018-2693 allows attackers to gain access to the host platform. The notes in NVD indicate that, while this is easy to exploit, it requires actions to be taken by someone other than the attacker.

SEE: VirtualBox: Everything the pros need to know (TechRepublic)

Though patches have been issued, full details of the vulnerabilities are not yet available.

Who do these vulnerabilities impact?

Anyone using VirtualBox is potentially vulnerable to the listed CVEs, though some of the reported vulnerabilities are specific to host OSes. The newly-released patches are available in the latest version (5.2.6), as well as the oldstable branch (5.1.32). For users running untrusted code in guest VMs, urgent updating is recommended. Because vulnerabilities affect both the VirtualBox hypervisor and guest additions, updating the guest additions inside your virtual machines is also required.

While VirtualBox is a popular general-purpose hypervisor, it is more commonly used for desktop virtualization. Compared to other products, VirtualBox has more extensive and reliable support for exotic or rare guest operating systems, such as OS/2 and Haiku.

Support for the VirtualBox guest driver is also being integrated into the Linux kernel, as of version 4.16. Work on mainlining the shared folder driver is also underway, though this is not anticipated to be ready in time–it is expected to be added in the merge window for kernel 4.17. The next step for Red Hat’s Hans de Goede is landing the “vboxsf” driver for VirtualBox guest shared folder support. The shared folder driver depends upon vboxguest and the patches for review are now on the mailing list, but likely will be too late for getting into Linux 4.16.

For server and cloud operations, hypervisors such as KVM and VMware are more common, as are container apps such as Docker.

Image: iStockphoto/Elen11