Oracle VirtualBox SVGA Flaws Let Privileged Windows Guests Trigger Host Out-of-Bounds Reads
Oracle patched two VirtualBox vulnerabilities in its SVGA graphics stack that could let a privileged attacker inside a Windows guest trigger out-of-bounds reads on the host. CVE-2020-2748 affects VirtualBox 6.1.0 r135406 in the VMSVGA/VBoxSVGA video adapter path, where guest-controlled cursor update data can supply an unchecked screen identifier that is later used in Display::i_displayVBVAReportCursorPosition, causing an out-of-bounds access to maFramebuffers[aScreenId]. STAR Labs said the flaw was disclosed through ZDI and Oracle addressed it in its April 2020 security advisory.
A separate bug, CVE-2019-3026, affects VirtualBox 6.0.4 r128413 and stems from improper validation of SVGA 3D commands in vmsvgaFIFOLoop. STAR Labs reported that a size-check macro failed to exit the intended switch block, allowing malformed command headers to bypass validation and trigger an integer underflow followed by an out-of-bounds read in vmsvga3dShaderSetConst(). Exploitation requires the attacker to already have high privileges in the guest, and for the VM to have 3D acceleration enabled; Oracle fixed the issue in its October 2019 Critical Patch Update.
Timeline
Apr 30, 2020
STAR Labs publicly discloses CVE-2020-2748 details
STAR Labs publicly disclosed technical details for CVE-2020-2748, describing how a privileged guest could manipulate SVGA FIFO cursor update fields to cause an out-of-bounds read in VirtualBox. The disclosure coincided with the vendor patch being available.
Apr 30, 2020
Oracle acknowledges and patches CVE-2020-2748
Oracle acknowledged CVE-2020-2748 and released a patch in its April 2020 security advisory. The issue affected the VMSVGA/VBoxSVGA video adapter path used by Windows guests and could trigger out-of-bounds access from a privileged guest.
Mar 3, 2020
CVE-2020-2748 disclosed to Oracle through ZDI
A VirtualBox SVGA out-of-bounds read vulnerability, later tracked as CVE-2020-2748, was disclosed to Oracle through ZDI. The flaw affected VirtualBox 6.1.0 r135406 and stemmed from improper bounds checking of a guest-controlled screen identifier in cursor update handling.
Oct 20, 2019
Oracle patches CVE-2019-3026 in October 2019 CPU
Oracle patched CVE-2019-3026 and published an advisory as part of its October 2019 Critical Patch Update. The vulnerability required high-privileged code execution in the guest and 3D acceleration to be enabled.
Aug 13, 2019
STAR Labs reports CVE-2019-3026 to Oracle
STAR Labs reported an Oracle VirtualBox VBoxSVGA validation flaw, later assigned CVE-2019-3026, to Oracle. The bug affected VirtualBox 6.0.4 r128413 on Windows guests and could lead to an integer underflow and out-of-bounds read when processing malformed SVGA 3D commands.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Oracle VirtualBox VBVA Flaws Enabled Guest-to-Host VM Escape
Researchers disclosed two **Oracle VirtualBox** vulnerabilities in the **VirtualBox Video Acceleration (VBVA)** component that could let an attacker escape from a guest VM and execute code in the host VirtualBox process. The flaws, tracked as `CVE-2020-2682` and `CVE-2020-2758`, affected the HGSMI-exposed graphics path used by guest systems, making the vulnerable functionality reachable from inside a virtual machine when video acceleration features were enabled. `CVE-2020-2682` was an out-of-bounds access caused by using a guest-controlled surface handle as an index without effective bounds enforcement in release builds, while `CVE-2020-2758` was a use-after-free tied to stale VGA surface pointers during guest-triggerable display resize operations. In both cases, crafted VBVA commands could corrupt memory in the host-side VirtualBox process and potentially achieve privilege escalation or full VM escape. Oracle addressed the issues in its **January 2020** and **April 2020 Critical Patch Update** advisories, respectively.
3 weeks ago
Oracle VirtualBox HDA Flaws Let Guest Attackers Crash Host-Side VM Processes
Oracle patched two vulnerabilities in VirtualBox `6.0.4` affecting the emulated Intel HD Audio (HDA) controller used by Windows guests. **CVE-2019-3002** allows a privileged attacker inside a guest to manipulate HDA stream control and related registers so that audio stream initialization hits a divide-by-zero condition, crashing the virtual machine. **CVE-2019-3005** stems from a crafted stream descriptor number sent to the emulated HDA CODEC, which can detach an existing stream and leave a sink pointer `NULL`, leading to a host-side NULL pointer dereference when that sink is later accessed. Both issues require the attacker to already have high-privileged code execution inside the guest and the VM to be configured with the default HDA audio controller. The flaws were reported to Oracle on 2019-09-11 and fixed in the vendor's October 2019 Critical Patch Update, with STAR Labs noting that the bugs could be triggered through guest-controlled audio stream parameters in the VirtualBox HDA implementation.
3 weeks ago
Oracle VirtualBox E1000 Flaws Enable Guest Memory Leak and Host Escape
Oracle VirtualBox's emulated Intel PRO/1000 MT Desktop (`E1000`) network adapter was found to contain multiple security flaws that let attackers abuse packet-processing logic from inside a guest VM. One issue, tracked as **`CVE-2020-2894`**, affects VirtualBox 6.1.0 and stems from improper validation in `e1kInsertChecksum()`, allowing checksum operations to read beyond a packet buffer and disclose adjacent memory. By manipulating checksum end offsets, an attacker in a guest can leak host-side data incrementally through the virtual NIC path. A separate flaw, **`CVE-2019-2722`**, impacts VirtualBox 5.2.28 and earlier and 6.0.6 and earlier, where an integer underflow in `e1kFallbackAddToFrame()` can trigger a heap out-of-bounds write in host memory. An attacker with root or administrator privileges in the guest can craft transmit descriptors to corrupt host memory and potentially escape the VM to host ring 3. Both vulnerabilities were disclosed through Trend Micro Zero Day Initiative's **Pwn2Own** program, and Oracle released fixes through its security update process.
3 weeks ago