VirtualBox Unpatched Zero-Day Vulnerability and Exploit Released Online

At Least One Critical Vulnerability in Nearly Every Website

A Major Oracle VirtualBox Zero-Day vulnerability and exploit were released by a disgruntled security researcher. The vulnerability affects versions of VirtualBox up to 5.2.20. The vulnerability allows a malicious actor with administrator or root access on the guest OS to bypass the guest OS and execute code on the host operating system. The vulnerability lies in the shared code base hence it is platform independent.

The vulnerability occurs due to memory corruption issues within the Intel Pro 1000 MT Desktop virtual adapter when put in Network Address Translation (NAT) mode. This is the default configuration for most virtual machines that are created using VirtualBox. Given the highly detailed explanation of how the vulnerability is exploited and the fact that it affects the default configuration on most virtual machines it is very serious and puts a large population of virtual machines at risk.  The security researcher claims that:

“The exploit is 100% reliable. It means it either works always or never because of mismatched binaries or other, more subtle reasons he didn’t account. It works at least on Ubuntu 16.04 and 18.04 x86_64 guests with default configuration.”

A detailed description of the vulnerability and the exploit can be found on the user’s GitHub page https://github.com/MorteNoir1/virtualbox_e1000_0day

A patch for the vulnerability was not available as of November 8, 2018. Changing the virtual ethernet card to PCnet and changing the Network mode to a mode other than NAT would help deter the exploit and secure any virtual machine until a patch becomes available.  A demo of the exploit in action can be found here – https://vimeo.com/299325088

The researcher decided to publicly disclose the vulnerability due to his displeasure with how Oracle had dealt with him the last time he responsibly disclosed a vulnerability. Overall he does not agree with the current state of security research and bug bounty programs.