There was a vulnerability in Oracle Virtualbox that enabled Information Disclosure. The vulnerability has been fixed by an update. Now details have become public.
The Oracle Oracle Critical Patch Update Advisory – April 2019 mentions a vulnerability CVE-2019-2723 in Virtualbox prior to versions 5.2.28 and 6.0.6, which was closed with the mentioned Virtualbox versions. I have now received additional information via Twitter.
This bug can not only leak info but also lead to vm escape.
I used it in tianfu cup 2018.
— wei (@XiaoWei___) 5. Mai 2019
XiaoWei of the Zero Day Initiative writes that the CVE-2019-2723 vulnerability can also be used to break out of a virtual machine. Some information has been disclosed on this ZDI website.
This vulnerability allows local attackers to disclose sensitive information on vulnerable installations of Oracle VirtualBox. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the processing of OHCI data. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the hypervisor.