Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Oracle Security Virtualization Bug

Disgruntled Security Researcher Publishes Major VirtualBox 0-Day Exploit (zdnet.com) 130

"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.

Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."

"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."
This discussion has been archived. No new comments can be posted.

Disgruntled Security Researcher Publishes Major VirtualBox 0-Day Exploit

Comments Filter:
  • So submit the patch instead of waiting for someone else to for 15 months.
    • by Anonymous Coward

      He's a security RESEARCHER not a security DEVELOPER!

    • by Anonymous Coward

      only oracle employees have write access to the repos, so you're dealing with the bureaucracy and ineptitude of oracle regardless. 15 months previously probably means about that same turnaround now from patch submission to distribution.

    • by ShanghaiBill ( 739463 ) on Saturday November 10, 2018 @04:00PM (#57622860)

      So submit the patch instead of waiting for someone else to for 15 months.

      It is not that simple. Oracle controls which patches get applied. Sure, you can "fork it", but almost nobody has the time and resources to successfully fork a project.

      Oracle WANTS VIRTUALBOX TO DIE. Same with MySql. They have closed source commercial products that compete with both of these. A big motivation for Oracle to acquire Sun was to get their hands on these open source projects so they could slowly strangle them. Late and slow security patches are part of the strangulation process.

      If you ever see Oracle doing something that appears to not be evil, then you misunderstand what is going on.

      • Oracle WANTS VIRTUALBOX TO DIE. Same with MySql.

        I would have to agree with this. Things like quarterly "CPU" releases (critical patch update) that mix security fixes with "feature updates" (and those being the only way to obtain security fixes, not annotating CVE IDs in the commit messages of related commits, and forbidding Oracle personnel from helping outside project personnel identify specific commits associated with specific security vulnerability fixes (very useful for backporting purposes) makes for Oracle having a well earned reputation for being

      • by Tom ( 822 )

        Same with MySql. They have closed source commercial products that compete with both of these.

        The percentage of MySQL users that would migrate to Oracle must be something that is a challenge to find even with a microscope. You have a reasonably smooth upgrade path to PostgreSQL, in fact if you are using database abstraction as you should, it's a config option.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          Exactly! We already moved all our MySQL servers to MariaDB. And for new projects we use PostgreSQL.

          If we were ever going to pay for a database license, Oracle would be out of our price range, and would probably go with MS SQL Server (it even runs on Linux now).

          • by Tom ( 822 )

            Why in all nine hells would you ever want to go with MS SQL for anything, at all, ever ?

            I've been doing sysadmin stuff all my adult life, even now that I'm a security architect I keep in close contact with sysadmins. Not one of them has ever recommended MS SQL, everyone who used it was unhappy, in most discussions it doesn't even appear as an option.

            I'm really curious which strange twisting of dimensions makes you the only person on the planet to seriously consider it who is not forced by external circumsta

            • by Dog-Cow ( 21281 )

              Why would you expect a sysadmin to know anything about RDMS’s?

              • by Tom ( 822 )

                Because they have to run them. Your DB-Admin is not a happy camper when he can't get his console because the stupid system hung itself, again.

        • by Anonymous Coward

          The fear is over the number that would migrate from Oracle to MySQL, if they had a chance.
          Oracle used to have some good features that a business might want, AND couldn't get for free elsewhere. Now, they mostly can.

        • by ShanghaiBill ( 739463 ) on Saturday November 10, 2018 @09:51PM (#57624004)

          The percentage of MySQL users that would migrate to Oracle must be something that is a challenge to find even with a microscope.

          You are missing the point. Oracle knows these people won't migrate to Oracle-DB. Their big concern is people migrating in the other direction. Many customers (recently including Amazon) have dumped Oracle's DB, and gone to MySQL or Postgres. They want to slow that hemorrhaging.

          Oracle is playing defense, not offense.

        • You have a reasonably smooth upgrade path to PostgreSQL, in fact if you are using database abstraction as you should, it's a config option.

          Um, no, unless you use such an incredibly small subset of SQL that you are not using the database for more than storing and retrieving your application data as-is. Depending on your code, it may be just minor adjustments or it may require a full application architecture overhaul to support a second database. Realistically, no in-house application ever changes database engine without it being a part of a major rewrite and rearchitecturing anyway. If you develop for PostgreSQL, take full advantage of its fantastic feature set. Don't restrict yourself and your coworkers to the 5% of it that it shares with MySQL just to be able to switch with a config option.

      • vbox is seductively easy to use on windows, but shit it's rotten software. Even something simple like the "cli" is clearly "designed" by windows-only idiots who just don't get proper CLI at all. And mysql is the same kind of idiocy with a different face on it. Both of them dying would be a good thing. Take docker and php with it while at it, please.

        Though realistically even should mysql die there's still mariadb, natch. For vbox, there's several alternatives you might use. Someone'll whip up a front-end on

      • by piojo ( 995934 )

        Oracle WANTS VIRTUALBOX TO DIE. Same with MySql.

        Why have they been doing such a good job of developing it? I recently tried to use MariaDB in my project, and it fundamentally could not do a basic JSON manipulation I needed (recursive merge with overwrite). I looked into how to write custom functions and got nowhere. As far as I could tell, the API deals with rows and tables, not other datatypes.

        After using MySQL for ten minutes, I found the function that did what I needed. It has been adapted to real-world usage it a way that MariaDB has not.

        I can't give

  • If more bugs were called out like this, the programmers would spend more time testing their software instead of taking the "we'll fix it if we get caught" attitude.
  • This vulnerability requires root level privileges inside a guest os, and for that guest os to be running with very specific configuration (must have e1000 nic and be configured in nat mode)...

    Incidentally nat mode doesnt support ipv6, rendering it useless for me.

    • by mvdwege ( 243851 )

      One of the reasons for running VMs is to isolate applications that require root privileges. And the e1000 is a very popular nic to virtualise. Almost everything I met had either VirtIO networking or an emulated e1000.

      So this is actually a pretty common configuration. No, this is not overblown.

  • by Billly Gates ( 198444 ) on Saturday November 10, 2018 @10:01PM (#57624058) Journal

    If you have to use WIndows upgrade to pro under "This PC" and enable Hyper-V. It supports Linux and even FreeBSD at the kernel level without guest tools automatically. If you run linux KMS is there and qemu if you want a gui. Shoot even pfsense ran under Hyper-V natively without any hacks or packages out of the iso!

    Both KMS and Hyper-V are type-1 hypervisors unlike the shitty VmWare Workstation and virtualbox. No guest tools and run bare metal near native speeds.

    • by Anonymous Coward

      If you have to use WIndows upgrade to pro under "This PC" and enable Hyper-V. It supports Linux and even FreeBSD at the kernel level without guest tools automatically.

      Uh, no. Integration components [microsoft.com] is MS's term for guest tools and are automatically installed. Linux has its own tools which MS went out of its way to make sure were compatible with Hyper-V. Linux also has native support for its own para-virtualized devices [archlinux.org], its term for guest tools, so it supports KVM "natively" since many, many years ago.

      • The integration tool,.s are default on modern linux distros as a kernel module. I do not have experience in ArchLinux but I have never needed to install them manually ever.

        • by Anonymous Coward

          "Installed by default" != "without guest tools" || "run bare metal". And, again, while Linux guests are setup to automatically support guest drivers for Hyper-V and KVM, Windows guests are not setup to automatically support KVM (AFAIK, and that guide I pointed to was from Feb 2018). Beyond that, 3d graphical support is horrible without pass-through and pass-through is a PITA presuming it works.

          You want to argue Virtualbox is more insecure or has more performance bottlenecks compared to KVM or Hyper-V, tha

    • Since you look like you know a bit about this, are there any downsides to enabling Hyper-V in Windows? Being a Type-1 hypervisor does that mean that Windows 10 itself suddenly becomes a guest on the hardware? Will it affect gaming or other performance?

      I've been considering playing with Hyper-V but haven't seen an answer to this question yet. I don't worry about it on my Linux box since it doesn't sit there gaming, rendering or otherwise heavily loading the hardware, and in that case I happy run Ubuntu on Xe

      • You are correct. In a type 1 hypervisor there is a parent child relationship as the hypervisor runs in ring -1 underneath the kernel inside the CPU itself. So near native speeds for the parent and more restrictions for the children or so called guests as they call them in type 2. On my home PC I can game fine. World of Warcraft slowed down only 1 to 2 fps and I have an older i7 4770K. Guests would be slower with the GPU in pass through mode but much quicker than virtual box as no software layer is used.

        So f

  • Comment removed based on user account deletion
  • I tried to use VirtualBox in my corporate Windows desktop earlier on this year.
    Gave up on frustration of the multitude of bugs I encountered.
    I cannot even phantom how people depend on VirtualBox to do some serious work, or how some misguided souls use it to run Linux servers.

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...