Disgruntled Security Researcher Publishes Major VirtualBox 0-Day Exploit

"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."

"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."

VirtualBox is open source

[mccalli]

So submit the patch instead of waiting for someone else to for 15 months.

Re:

[Anonymous Coward]

He's a security RESEARCHER not a security DEVELOPER!

Re:

[Zontar The Mindless]

Where's your sense of humour, buddy?

Re:

[Anonymous Coward]

only oracle employees have write access to the repos, so you're dealing with the bureaucracy and ineptitude of oracle regardless. 15 months previously probably means about that same turnaround now from patch submission to distribution.

Re:VirtualBox is open source

[ShanghaiBill]

So submit the patch instead of waiting for someone else to for 15 months.

It is not that simple. Oracle controls which patches get applied. Sure, you can "fork it", but almost nobody has the time and resources to successfully fork a project.

Oracle WANTS VIRTUALBOX TO DIE. Same with MySql. They have closed source commercial products that compete with both of these. A big motivation for Oracle to acquire Sun was to get their hands on these open source projects so they could slowly strangle them. Late and slow security patches are part of the strangulation process.

If you ever see Oracle doing something that appears to not be evil, then you misunderstand what is going on.

Re:

[El Cubano]

Oracle WANTS VIRTUALBOX TO DIE. Same with MySql.

I would have to agree with this. Things like quarterly "CPU" releases (critical patch update) that mix security fixes with "feature updates" (and those being the only way to obtain security fixes, not annotating CVE IDs in the commit messages of related commits, and forbidding Oracle personnel from helping outside project personnel identify specific commits associated with specific security vulnerability fixes (very useful for backporting purposes) makes for Oracle having a well earned reputation for being

Re:

[Megol]

As you apparently don't know the definition of the word forbidding:
https://dictionary.cambridge.o... [cambridge.org]

Re:

[Tom]

Same with MySql. They have closed source commercial products that compete with both of these.

The percentage of MySQL users that would migrate to Oracle must be something that is a challenge to find even with a microscope. You have a reasonably smooth upgrade path to PostgreSQL, in fact if you are using database abstraction as you should, it's a config option.

Re:

[Anonymous Coward]

Exactly! We already moved all our MySQL servers to MariaDB. And for new projects we use PostgreSQL.

If we were ever going to pay for a database license, Oracle would be out of our price range, and would probably go with MS SQL Server (it even runs on Linux now).

Re:

[Tom]

Why in all nine hells would you ever want to go with MS SQL for anything, at all, ever ?

I've been doing sysadmin stuff all my adult life, even now that I'm a security architect I keep in close contact with sysadmins. Not one of them has ever recommended MS SQL, everyone who used it was unhappy, in most discussions it doesn't even appear as an option.

I'm really curious which strange twisting of dimensions makes you the only person on the planet to seriously consider it who is not forced by external circumsta

Re:

[Dog-Cow]

Why would you expect a sysadmin to know anything about RDMS’s?

Re:

[Tom]

Because they have to run them. Your DB-Admin is not a happy camper when he can't get his console because the stupid system hung itself, again.

Re:

[Anonymous Coward]

The fear is over the number that would migrate from Oracle to MySQL, if they had a chance.
Oracle used to have some good features that a business might want, AND couldn't get for free elsewhere. Now, they mostly can.

Re:VirtualBox is open source

[ShanghaiBill]

The percentage of MySQL users that would migrate to Oracle must be something that is a challenge to find even with a microscope.

You are missing the point. Oracle knows these people won't migrate to Oracle-DB. Their big concern is people migrating in the other direction. Many customers (recently including Amazon) have dumped Oracle's DB, and gone to MySQL or Postgres. They want to slow that hemorrhaging.

Oracle is playing defense, not offense.

Re:

[Per Wigren]

You have a reasonably smooth upgrade path to PostgreSQL, in fact if you are using database abstraction as you should, it's a config option.

Um, no, unless you use such an incredibly small subset of SQL that you are not using the database for more than storing and retrieving your application data as-is. Depending on your code, it may be just minor adjustments or it may require a full application architecture overhaul to support a second database. Realistically, no in-house application ever changes database engine without it being a part of a major rewrite and rearchitecturing anyway. If you develop for PostgreSQL, take full advantage of its fantastic feature set. Don't restrict yourself and your coworkers to the 5% of it that it shares with MySQL just to be able to switch with a config option.

virtualbog is crap, owned by a crap company.

[Anonymous Coward]

vbox is seductively easy to use on windows, but shit it's rotten software. Even something simple like the "cli" is clearly "designed" by windows-only idiots who just don't get proper CLI at all. And mysql is the same kind of idiocy with a different face on it. Both of them dying would be a good thing. Take docker and php with it while at it, please.

Though realistically even should mysql die there's still mariadb, natch. For vbox, there's several alternatives you might use. Someone'll whip up a front-end on

Re:

[piojo]

Oracle WANTS VIRTUALBOX TO DIE. Same with MySql.

Why have they been doing such a good job of developing it? I recently tried to use MariaDB in my project, and it fundamentally could not do a basic JSON manipulation I needed (recursive merge with overwrite). I looked into how to write custom functions and got nowhere. As far as I could tell, the API deals with rows and tables, not other datatypes.

After using MySQL for ten minutes, I found the function that did what I needed. It has been adapted to real-world usage it a way that MariaDB has not.

I can't give

Hooray for this!

[pierceelevated]

If more bugs were called out like this, the programmers would spend more time testing their software instead of taking the "we'll fix it if we get caught" attitude.

Overblown much?

[Bert64]

This vulnerability requires root level privileges inside a guest os, and for that guest os to be running with very specific configuration (must have e1000 nic and be configured in nat mode)...

Incidentally nat mode doesnt support ipv6, rendering it useless for me.

Re:

[mvdwege]

e1000 is the Linux device driver name for that NIC family.

Re:

[mvdwege]

One of the reasons for running VMs is to isolate applications that require root privileges. And the e1000 is a very popular nic to virtualise. Almost everything I met had either VirtIO networking or an emulated e1000.

So this is actually a pretty common configuration. No, this is not overblown.

Re: Simple to work around, no?

[Provocateur]

was being the operative word here.

Use KMS on Linux or Hyper-V on Win10

[Billly Gates]

If you have to use WIndows upgrade to pro under "This PC" and enable Hyper-V. It supports Linux and even FreeBSD at the kernel level without guest tools automatically. If you run linux KMS is there and qemu if you want a gui. Shoot even pfsense ran under Hyper-V natively without any hacks or packages out of the iso!

Both KMS and Hyper-V are type-1 hypervisors unlike the shitty VmWare Workstation and virtualbox. No guest tools and run bare metal near native speeds.

Re:

[Anonymous Coward]

If you have to use WIndows upgrade to pro under "This PC" and enable Hyper-V. It supports Linux and even FreeBSD at the kernel level without guest tools automatically.

Uh, no. Integration components [microsoft.com] is MS's term for guest tools and are automatically installed. Linux has its own tools which MS went out of its way to make sure were compatible with Hyper-V. Linux also has native support for its own para-virtualized devices [archlinux.org], its term for guest tools, so it supports KVM "natively" since many, many years ago.

Re:

[Billly Gates]

The integration tool,.s are default on modern linux distros as a kernel module. I do not have experience in ArchLinux but I have never needed to install them manually ever.

Re:

[Anonymous Coward]

"Installed by default" != "without guest tools" || "run bare metal". And, again, while Linux guests are setup to automatically support guest drivers for Hyper-V and KVM, Windows guests are not setup to automatically support KVM (AFAIK, and that guide I pointed to was from Feb 2018). Beyond that, 3d graphical support is horrible without pass-through and pass-through is a PITA presuming it works.

You want to argue Virtualbox is more insecure or has more performance bottlenecks compared to KVM or Hyper-V, tha

Re:

[thegarbz]

Since you look like you know a bit about this, are there any downsides to enabling Hyper-V in Windows? Being a Type-1 hypervisor does that mean that Windows 10 itself suddenly becomes a guest on the hardware? Will it affect gaming or other performance?

I've been considering playing with Hyper-V but haven't seen an answer to this question yet. I don't worry about it on my Linux box since it doesn't sit there gaming, rendering or otherwise heavily loading the hardware, and in that case I happy run Ubuntu on Xe

Re: Use KMS on Linux or Hyper-V on Win10

[Billly Gates]

You are correct. In a type 1 hypervisor there is a parent child relationship as the hypervisor runs in ring -1 underneath the kernel inside the CPU itself. So near native speeds for the parent and more restrictions for the children or so called guests as they call them in type 2. On my home PC I can game fine. World of Warcraft slowed down only 1 to 2 fps and I have an older i7 4770K. Guests would be slower with the GPU in pass through mode but much quicker than virtual box as no software layer is used.

So f

Re:

[thegarbz]

Thanks, I may have a play with this.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

No surprise here

[Rui F Ribeiro]

I tried to use VirtualBox in my corporate Windows desktop earlier on this year.
Gave up on frustration of the multitude of bugs I encountered.
I cannot even phantom how people depend on VirtualBox to do some serious work, or how some misguided souls use it to run Linux servers.

Re:No virtualbox in FEDERAL PRISON

[ShanghaiBill]

There is no need for Virtualbox in Federal Prison.

They use FreeBSD Jails [wikipedia.org] instead.

Re:

[bferrell]

I have to disagree... I've seen VMware products do a lot of nasty things, even in environments with high end paid support. The answers from VMW TAC were, to say the least, very unsatisfactory (destroy the VM and start over, it does that sometimes).

I use Virtualbox a lot. No, the polish of VMware isn't there, but ya know, there is NOTHING VMware/VSphere does that I can't do with Virtualbox... If I don't mind fiddling around with it for a while. Sometimes I mind. Other times, not so much.

Just my two scheck

Re:

[Anonymous Coward]

What's the virtual box alternative to vCenter?

Re:

[bferrell]

well... There are PHPVirtualbox, remotebox and hyperbox, that I know of and have used or do use. There may be others now, but I stopped looking when I found some that I liked (why is it that my keys are always in the last place I look? because I stop looking!) .

As I said, they can take some fiddling but are well worth the time/effort.

Add OpenVswitch (NICs for which are supported by Virtualbox VM guests) to the mix for a distributed switch fabric and a VirtualBox based "Vcenter" becomes very doable. Yes

Re:

[Zontar The Mindless]

i have no idea what you're talking about (you might not either)

He doesn't.

Heck, they fixed a bug in 5.2.22 (released 2 days ago) that I reported in 5.2.18.

Re:

[ayesnymous]

Yup, VMware is some of the worst software I've ever seen. And they still require Flash for their fully-functional UI.

Re:

[goose-incarnated]

How good or poor is opengl support in vmware workstation?

I found it glitchy when I tried it a few years ago, but still far better than virtualbox. If workstation had bulletproof opengl support I'd license it.

They're both crap. VMWare is slightly better than Virtualbox, but it's still crap.

Re:

[rl117]

Poor. Intermittent random freezing of kde kwin input, window switching and compositing when hw accel is enabled, plus occasional hard lockups of the whole machine. It's also a really old gl version. Unusable. This is with a well supported radeon RX 580. Spent months of back and forth with their tech "support". They don't seem to care. Was a waste of money (not cheap) and hard to recommend. The quality tanked when they fired their US team and was offshored. It's a maintenance mode cash cow at this p

Re:

[Zontar The Mindless]

I count: one (new) unsubstantiated allegation and at least two lies (which you've repeated before). Why are you trolling this thread, anyhow?

Re:

[Zontar The Mindless]

Links are not some form of magic, Alex. Two rotten apples are not any more edible than one, and hyperlinking to repetitions of lies does not make them true, no matter how many times you do it.

Re:

[Zontar The Mindless]

You are so INCREDIBLY predictable, Alex. You're like the hamster running inside the little wheel.

Mostly.

(The hamster eventually figures out how to get off.)

Happy Armistice Day from Stockholm!

Re:

[BronsCon]

You say your hosts file engine can protect us from advertising. Can you provide assurance that, should I choose to install and use it, I will stop seeing ads such as the one I am currently replying to?

Re:

[BronsCon]

Still an ad, still a valid question, still no affirmative response from you, and still quoting me out off context as explained in my signature. Still just as toxic, underhanded, and dishonest as always; nobody should use or trust software written by someone with those traits. How's that for a review? Dick.

Re:

[BronsCon]

I'm saying that, in the context in which I actually said it, it wasn't praise at all. You're too fucking dense to realize that, though... which, honestly, is not my problem.

Re:

[BronsCon]

You're missing it, so I'll state it more plainly. I did literally write words similar to what you keep quoting (your edit changes the meaning a fair bit so, no, I did not write that), but it was not an endorsement of your work so much as a preface to an insult. Once again, my words were not an endorsement of your work and the fact that you had to edit them to make them appear to be such should be a dead giveaway of that.

I wouldn't bother replying to irrefutable logic, except to concede or agree, because I

Re:

[Zontar The Mindless]

You told people to block GitHub and GitLab—permanently, FFS.

I remember a couple of years ago when you were so proud of yourself because your string routines pegged the fucking CPU. You only changed your tune about this after about 200 people here on Slashdot mocked you for it, and rightly so.

And you continue to indulge in your classic "Pick on someone until you get a reaction, then claim they're picking on you" which is about what I'd expect of Donald Trump or someone else with the mentality of a 12-y