Oracle VirtualBox HDA Flaws Let Guest Attackers Crash Host-Side VM Processes
Oracle patched two vulnerabilities in VirtualBox 6.0.4 affecting the emulated Intel HD Audio (HDA) controller used by Windows guests. CVE-2019-3002 allows a privileged attacker inside a guest to manipulate HDA stream control and related registers so that audio stream initialization hits a divide-by-zero condition, crashing the virtual machine. CVE-2019-3005 stems from a crafted stream descriptor number sent to the emulated HDA CODEC, which can detach an existing stream and leave a sink pointer NULL, leading to a host-side NULL pointer dereference when that sink is later accessed.
Both issues require the attacker to already have high-privileged code execution inside the guest and the VM to be configured with the default HDA audio controller. The flaws were reported to Oracle on 2019-09-11 and fixed in the vendor's October 2019 Critical Patch Update, with STAR Labs noting that the bugs could be triggered through guest-controlled audio stream parameters in the VirtualBox HDA implementation.
Timeline
Oct 20, 2019
Oracle patches CVE-2019-3002 and CVE-2019-3005 in October CPU
Oracle issued fixes for the two VirtualBox vulnerabilities on 2019-10-20 and published them as part of its October 2019 Critical Patch Update. The patched flaws affected the default HDA audio controller configuration used by Windows guests in VirtualBox 6.0.4.
Sep 11, 2019
STAR Labs reports two VirtualBox HDA flaws to Oracle
STAR Labs submitted reports to Oracle for CVE-2019-3002 and CVE-2019-3005, both affecting the emulated Intel HD Audio controller in Oracle VirtualBox 6.0.4. The issues could let a privileged guest user trigger host-side crashes via divide-by-zero and NULL pointer dereference conditions.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Oracle VirtualBox SVGA Flaws Let Privileged Windows Guests Trigger Host Out-of-Bounds Reads
Oracle patched two VirtualBox vulnerabilities in its SVGA graphics stack that could let a **privileged attacker inside a Windows guest** trigger out-of-bounds reads on the host. **`CVE-2020-2748`** affects VirtualBox `6.1.0 r135406` in the `VMSVGA/VBoxSVGA` video adapter path, where guest-controlled cursor update data can supply an unchecked screen identifier that is later used in `Display::i_displayVBVAReportCursorPosition`, causing an out-of-bounds access to `maFramebuffers[aScreenId]`. STAR Labs said the flaw was disclosed through ZDI and Oracle addressed it in its April 2020 security advisory. A separate bug, **`CVE-2019-3026`**, affects VirtualBox `6.0.4 r128413` and stems from improper validation of SVGA 3D commands in `vmsvgaFIFOLoop`. STAR Labs reported that a size-check macro failed to exit the intended switch block, allowing malformed command headers to bypass validation and trigger an integer underflow followed by an out-of-bounds read in `vmsvga3dShaderSetConst()`. Exploitation requires the attacker to already have high privileges in the guest, and for the VM to have **3D acceleration enabled**; Oracle fixed the issue in its October 2019 Critical Patch Update.
3 weeks ago
Oracle VirtualBox VBVA Flaws Enabled Guest-to-Host VM Escape
Researchers disclosed two **Oracle VirtualBox** vulnerabilities in the **VirtualBox Video Acceleration (VBVA)** component that could let an attacker escape from a guest VM and execute code in the host VirtualBox process. The flaws, tracked as `CVE-2020-2682` and `CVE-2020-2758`, affected the HGSMI-exposed graphics path used by guest systems, making the vulnerable functionality reachable from inside a virtual machine when video acceleration features were enabled. `CVE-2020-2682` was an out-of-bounds access caused by using a guest-controlled surface handle as an index without effective bounds enforcement in release builds, while `CVE-2020-2758` was a use-after-free tied to stale VGA surface pointers during guest-triggerable display resize operations. In both cases, crafted VBVA commands could corrupt memory in the host-side VirtualBox process and potentially achieve privilege escalation or full VM escape. Oracle addressed the issues in its **January 2020** and **April 2020 Critical Patch Update** advisories, respectively.
3 weeks ago
Oracle VirtualBox E1000 Flaws Enable Guest Memory Leak and Host Escape
Oracle VirtualBox's emulated Intel PRO/1000 MT Desktop (`E1000`) network adapter was found to contain multiple security flaws that let attackers abuse packet-processing logic from inside a guest VM. One issue, tracked as **`CVE-2020-2894`**, affects VirtualBox 6.1.0 and stems from improper validation in `e1kInsertChecksum()`, allowing checksum operations to read beyond a packet buffer and disclose adjacent memory. By manipulating checksum end offsets, an attacker in a guest can leak host-side data incrementally through the virtual NIC path. A separate flaw, **`CVE-2019-2722`**, impacts VirtualBox 5.2.28 and earlier and 6.0.6 and earlier, where an integer underflow in `e1kFallbackAddToFrame()` can trigger a heap out-of-bounds write in host memory. An attacker with root or administrator privileges in the guest can craft transmit descriptors to corrupt host memory and potentially escape the VM to host ring 3. Both vulnerabilities were disclosed through Trend Micro Zero Day Initiative's **Pwn2Own** program, and Oracle released fixes through its security update process.
3 weeks ago