Zero-Day Exploit Published for VM Escape Flaw in VirtualBox

A security researcher disclosed a yet unpatched zero-day vulnerability in the popular VirtualBox virtualization software that can be exploited from a guest operating system to break out of the virtual machine and gain access to the host OS.

VM escape bugs are the most serious types of flaws for hypervisors because they cancel the main security benefit provided by virtualization. This means that if a guest OS is infected with malware, that malware can break out and infect the host computer and potentially all the other virtual machines running on the same host.

The new vulnerability affects the latest version of VirtualBox, 5.2.20, released Oct. 16, as well as older versions. It was found and disclosed on GitHub as a zero-day — no fix available — by a Russian security researcher named Sergey Zelenyuk.

“I like VirtualBox and it has nothing to do with why I publish a 0day vulnerability,” Zelenyuk said in his GitHub post. “The reason is my disagreement with contemporary state of infosec, especially of security research and bug bounty.”

Zelenyuk’s proof-of-concept exploit was designed for Linux and works as a Linux Kernel Module (LKM), but the zero-day flaw can be exploited from any guest operating system. In fact, the exploit can easily be modified to work on Windows where it needs to be loaded as a driver. In both cases, the attacker needs administrative privileges to the guest OS to install the malicious drivers.

“The exploit is 100% reliable,” the researcher said. “It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn’t account. It works at least on Ubuntu 16.04 and 18.04 x86_64 guests with default configuration.”

The vulnerability can be exploited from virtual machines configured with an Intel PRO/1000 MT Desktop (82540EM) virtualized network adapter that’s configured in Network Address Translation (NAT) mode. Unfortunately, this is the default configuration for VirtualBox VMs.

Until the flaw is patched, users can mitigate the zero-day vulnerability by switching the network adapter in their virtual machine configurations to PCnet or to Paravirtualized Network. Switching from NAT to another mode will also mitigate the flaw, but the first option is more reliable.

If the flaw is exploited successfully, the attacker will gain ring 3 access on the host computer. This means the host is not fully compromised, but there are other techniques to escalate from ring 3 (the least privileged mode) to ring 0 (kernel mode).

Apache Calls on Struts 2.3.x Users to Manually Update FileUpload

The developers of Apache Struts are asking users who still use the 2.3.x version of the popular development framework to manually upgrade the Commons FileUpload library.

The FileUpload library, whose most recent version is 1.3.3, is part of the Apache Commons collection of reusable Java components. Previous versions are affected by a critical remote code execution vulnerability discovered and patched in 2016 and tracked as CVE-2016-1000031.

This vulnerability has been known to attackers for a long time and is still being exploited in the wild. However, it seems that until recently the Apache Struts 2.3.x branch, which is still supported and receives updates, continued to include an older and vulnerable version of Commons FileUpload.

“Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload,” Struts developer Łukasz Lenart said in a post on the Struts mailing list. “The updated commons-fileupload library is a drop-in replacement for the vulnerable version.”

The issue only affects applications built with Struts 2.3.36 and previous versions. Struts versions 2.5.12 and above already use the latest version of Commons FileUpload.

Apache Struts is a common target for hackers. Vulnerabilities in the framework have been exploited to hijack servers for cryptomining and also led to the major data breach at Equifax. Even though this is not a Struts vulnerability, per se, it’s a vulnerability in one of its bundled dependencies, so it can be easily targeted by attackers.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin