Bad news messages for users of the Oracle virtualization solution Virtualbox up to version 5.2.20. There is a 0-day vulnerability in the E1000 network component. Unfortunately, an exploit for this vulnerability has also become public. So if you use Virtualbox, you should react and adjust the network configuration.
Advertising
The person who has discovered of the vulnerability has published the details on GitHub. He is probably quite frustrated with how reported bugs are handled by Oracle. Therefore, he has decided to make full disclosure.
The vulnerarbility
There is an unpatched vulnerability in VirtualBox 5.2.20 (released on October 16, 2018) and earlier versions. This affects every host and guest operating system because the bug is in the shared code base.
The 0-day vulnerability can be exploited, if an Intel PRO/1000 MT Desktop (82540EM) network card is configured in the VM configuration in conjunction with the NAT network mode. This combination, referred to as E1000 in the GitHub article, has a vulnerability.
The vulnerability allows an attacker with root/administrator privileges on a guest system to break out of a guest system and enter the host string. Then the attacker can use existing techniques to increase privileges and reach ring 0 via /dev/vboxdrv.
The attack scenario is described for interested blog readers in the Github post. However, it is usually sufficient to use the workaround described below and reconfigure the network interface to solve the problem.
Advertising
Mitigating this vulnerability
Until a patched VirtualBox build is available, users can change the network card of a virtual machine to PCnet or Paravirtualized Network. If this is not possible, you should not use NAT mode.
Details may be found at GitHub and at Bleeping Computer.
