Main Vulnerability Database Vulnerabilities #VU15740

#VU15740 Privilege escalation in Oracle VM VirtualBox

Published: November 7, 2018

Vulnerability identifier: #VU15740

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: N/A

CWE-ID: CWE-191

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vulnerable software:
Oracle VM VirtualBox

Software vendor:
Oracle

Description

The vulnerability allows an adjacent attacker to gain elevated privileges on the target system.

The weakness exists in a shared code base of the virtualization software on virtual machines configured with the Intel PRO/1000 MT Desktop (82540EM) network adapter in Network Address Translation (NAT) mode due to default setup that may lead to multiple boundary errors. An adjacent attacker can trigger an integer underflow condition using packet descriptors - data segments that allow the network adapter to track network packet data in the system memory, to read data from the guest OS to cause heap-based buffer overflow that may lead to overwriting function pointers; or to cause a stack overflow condition.

Successful exploitation of the vulnerability allows an adjacent attacker with root/administrator privileges to escape the virtual environment of the guest machine and reach the Ring 3 privilege layer to escalate privileges to ring 0 via /dev/vboxdrv.

Remediation

Until the patched VirtualBox build is out you can change the network card of your virtual machines to PCnet (either of two) or to Paravirtualized Network. If you can't, change the mode from NAT to another one. The former way is more secure.

External links

https://github.com/MorteNoir1/virtualbox_e1000_0day