Disgruntled Security Researcher Publishes Major VirtualBox 0-Day Exploit

"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."

"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."

Re:No virtualbox in FEDERAL PRISON

[ShanghaiBill]

There is no need for Virtualbox in Federal Prison.

They use FreeBSD Jails instead.

Re:VirtualBox is open source

[ShanghaiBill]

So submit the patch instead of waiting for someone else to for 15 months.

It is not that simple. Oracle controls which patches get applied. Sure, you can "fork it", but almost nobody has the time and resources to successfully fork a project.

Oracle WANTS VIRTUALBOX TO DIE. Same with MySql. They have closed source commercial products that compete with both of these. A big motivation for Oracle to acquire Sun was to get their hands on these open source projects so they could slowly strangle them. Late and slow security patches are part of the strangulation process.

If you ever see Oracle doing something that appears to not be evil, then you misunderstand what is going on.

Re:VirtualBox is open source

[El+Cubano]

Oracle WANTS VIRTUALBOX TO DIE. Same with MySql.

I would have to agree with this. Things like quarterly "CPU" releases (critical patch update) that mix security fixes with "feature updates" (and those being the only way to obtain security fixes, not annotating CVE IDs in the commit messages of related commits, and forbidding Oracle personnel from helping outside project personnel identify specific commits associated with specific security vulnerability fixes (very useful for backporting purposes) makes for Oracle having a well earned reputation for being obnoxious to the open source community in general.

Re:Virtualbox is crap compare to VMware player

[bferrell]

I have to disagree... I've seen VMware products do a lot of nasty things, even in environments with high end paid support. The answers from VMW TAC were, to say the least, very unsatisfactory (destroy the VM and start over, it does that sometimes).

I use Virtualbox a lot. No, the polish of VMware isn't there, but ya know, there is NOTHING VMware/VSphere does that I can't do with Virtualbox... If I don't mind fiddling around with it for a while. Sometimes I mind. Other times, not so much.

Just my two scheckles worth

Re:VirtualBox is open source

[Tom]

Same with MySql. They have closed source commercial products that compete with both of these.

The percentage of MySQL users that would migrate to Oracle must be something that is a challenge to find even with a microscope. You have a reasonably smooth upgrade path to PostgreSQL, in fact if you are using database abstraction as you should, it's a config option.

Re:VirtualBox is open source

Exactly! We already moved all our MySQL servers to MariaDB. And for new projects we use PostgreSQL.

If we were ever going to pay for a database license, Oracle would be out of our price range, and would probably go with MS SQL Server (it even runs on Linux now).

Re:Virtualbox is crap compare to VMware player

[bferrell]

well... There are PHPVirtualbox, remotebox and hyperbox, that I know of and have used or do use. There may be others now, but I stopped looking when I found some that I liked (why is it that my keys are always in the last place I look? because I stop looking!) .

As I said, they can take some fiddling but are well worth the time/effort.

Add OpenVswitch (NICs for which are supported by Virtualbox VM guests) to the mix for a distributed switch fabric and a VirtualBox based "Vcenter" becomes very doable. Yes, you DO have to roll it yourself, unlike VMware, but...

Just like Vcenter, shared storage is necessary for moving running VMs for host to host.

Other than VMware, Virtualbox has the most pre-rolled "stuff". KVM CAN XEN do all of this stuff, but there is a lot more that has to be done for integration.

All of that said, I've also found that when importing an OVA into Virtualbox, low level details of the guest DO get changed. Nothing huge, but some things DO check for those details and do various unpleasant things when they don't match. I haven't found any I can't change back, if I know what they are.

Like I said, it CAN be a wee tad fiddly.

Re:VirtualBox is open source

[ShanghaiBill]

The percentage of MySQL users that would migrate to Oracle must be something that is a challenge to find even with a microscope.

You are missing the point. Oracle knows these people won't migrate to Oracle-DB. Their big concern is people migrating in the other direction. Many customers (recently including Amazon) have dumped Oracle's DB, and gone to MySQL or Postgres. They want to slow that hemorrhaging.

Oracle is playing defense, not offense.

Use KMS on Linux or Hyper-V on Win10

[Billly+Gates]

If you have to use WIndows upgrade to pro under "This PC" and enable Hyper-V. It supports Linux and even FreeBSD at the kernel level without guest tools automatically. If you run linux KMS is there and qemu if you want a gui. Shoot even pfsense ran under Hyper-V natively without any hacks or packages out of the iso!

Both KMS and Hyper-V are type-1 hypervisors unlike the shitty VmWare Workstation and virtualbox. No guest tools and run bare metal near native speeds.

Re: Virtualbox is crap compare to VMware player

[Zontar+The+Mindless]

i have no idea what you're talking about (you might not either)

He doesn't.

Heck, they fixed a bug in 5.2.22 (released 2 days ago) that I reported in 5.2.18.

Re:Overblown much?

[mvdwege]

e1000 is the Linux device driver name for that NIC family.

Re:Here's how to protect yourself... apk

[BronsCon]

You say your hosts file engine can protect us from advertising. Can you provide assurance that, should I choose to install and use it, I will stop seeing ads such as the one I am currently replying to?