Oracle VirtualBox VBVA Flaws Enabled Guest-to-Host VM Escape
Researchers disclosed two Oracle VirtualBox vulnerabilities in the VirtualBox Video Acceleration (VBVA) component that could let an attacker escape from a guest VM and execute code in the host VirtualBox process. The flaws, tracked as CVE-2020-2682 and CVE-2020-2758, affected the HGSMI-exposed graphics path used by guest systems, making the vulnerable functionality reachable from inside a virtual machine when video acceleration features were enabled.
CVE-2020-2682 was an out-of-bounds access caused by using a guest-controlled surface handle as an index without effective bounds enforcement in release builds, while CVE-2020-2758 was a use-after-free tied to stale VGA surface pointers during guest-triggerable display resize operations. In both cases, crafted VBVA commands could corrupt memory in the host-side VirtualBox process and potentially achieve privilege escalation or full VM escape. Oracle addressed the issues in its January 2020 and April 2020 Critical Patch Update advisories, respectively.
Timeline
Apr 30, 2020
CVE-2020-2758 publicly disclosed
STAR Labs publicly disclosed the VirtualBox VHWA use-after-free privilege-escalation and VM escape vulnerability on 2020-04-30.
Apr 1, 2020
Oracle releases fix for CVE-2020-2758
Oracle fixed CVE-2020-2758 in its April 2020 Critical Patch Update advisory for VirtualBox.
Mar 3, 2020
CVE-2020-2758 reported to ZDI
STAR Labs disclosed the Oracle VirtualBox VHWA use-after-free vulnerability later assigned CVE-2020-2758 to the vendor through ZDI on 2020-03-03.
Jan 15, 2020
CVE-2020-2682 publicly disclosed
Details of the VirtualBox VBoxVHWAHandleTable out-of-bounds access privilege-escalation issue were publicly disclosed in January 2020.
Jan 15, 2020
Oracle releases fix for CVE-2020-2682
Oracle addressed CVE-2020-2682 in its January 2020 Critical Patch Update advisory for VirtualBox.
Oct 1, 2019
Oracle verifies CVE-2020-2682
Oracle verified the reported VirtualBox VBVA flaw in October 2019 as part of coordinated disclosure for CVE-2020-2682.
Sep 1, 2019
CVE-2020-2682 reported to ZDI
STAR Labs reported the Oracle VirtualBox VBVA out-of-bounds access vulnerability later assigned CVE-2020-2682 to ZDI in September 2019.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Oracle VirtualBox SVGA Flaws Let Privileged Windows Guests Trigger Host Out-of-Bounds Reads
Oracle patched two VirtualBox vulnerabilities in its SVGA graphics stack that could let a **privileged attacker inside a Windows guest** trigger out-of-bounds reads on the host. **`CVE-2020-2748`** affects VirtualBox `6.1.0 r135406` in the `VMSVGA/VBoxSVGA` video adapter path, where guest-controlled cursor update data can supply an unchecked screen identifier that is later used in `Display::i_displayVBVAReportCursorPosition`, causing an out-of-bounds access to `maFramebuffers[aScreenId]`. STAR Labs said the flaw was disclosed through ZDI and Oracle addressed it in its April 2020 security advisory. A separate bug, **`CVE-2019-3026`**, affects VirtualBox `6.0.4 r128413` and stems from improper validation of SVGA 3D commands in `vmsvgaFIFOLoop`. STAR Labs reported that a size-check macro failed to exit the intended switch block, allowing malformed command headers to bypass validation and trigger an integer underflow followed by an out-of-bounds read in `vmsvga3dShaderSetConst()`. Exploitation requires the attacker to already have high privileges in the guest, and for the VM to have **3D acceleration enabled**; Oracle fixed the issue in its October 2019 Critical Patch Update.
3 weeks ago
Oracle VirtualBox E1000 Flaws Enable Guest Memory Leak and Host Escape
Oracle VirtualBox's emulated Intel PRO/1000 MT Desktop (`E1000`) network adapter was found to contain multiple security flaws that let attackers abuse packet-processing logic from inside a guest VM. One issue, tracked as **`CVE-2020-2894`**, affects VirtualBox 6.1.0 and stems from improper validation in `e1kInsertChecksum()`, allowing checksum operations to read beyond a packet buffer and disclose adjacent memory. By manipulating checksum end offsets, an attacker in a guest can leak host-side data incrementally through the virtual NIC path. A separate flaw, **`CVE-2019-2722`**, impacts VirtualBox 5.2.28 and earlier and 6.0.6 and earlier, where an integer underflow in `e1kFallbackAddToFrame()` can trigger a heap out-of-bounds write in host memory. An attacker with root or administrator privileges in the guest can craft transmit descriptors to corrupt host memory and potentially escape the VM to host ring 3. Both vulnerabilities were disclosed through Trend Micro Zero Day Initiative's **Pwn2Own** program, and Oracle released fixes through its security update process.
3 weeks ago
Oracle VirtualBox HDA Flaws Let Guest Attackers Crash Host-Side VM Processes
Oracle patched two vulnerabilities in VirtualBox `6.0.4` affecting the emulated Intel HD Audio (HDA) controller used by Windows guests. **CVE-2019-3002** allows a privileged attacker inside a guest to manipulate HDA stream control and related registers so that audio stream initialization hits a divide-by-zero condition, crashing the virtual machine. **CVE-2019-3005** stems from a crafted stream descriptor number sent to the emulated HDA CODEC, which can detach an existing stream and leave a sink pointer `NULL`, leading to a host-side NULL pointer dereference when that sink is later accessed. Both issues require the attacker to already have high-privileged code execution inside the guest and the VM to be configured with the default HDA audio controller. The flaws were reported to Oracle on 2019-09-11 and fixed in the vendor's October 2019 Critical Patch Update, with STAR Labs noting that the bugs could be triggered through guest-controlled audio stream parameters in the VirtualBox HDA implementation.
3 weeks ago