Oracle VirtualBox E1000 Flaws Enable Guest Memory Leak and Host Escape
Oracle VirtualBox's emulated Intel PRO/1000 MT Desktop (E1000) network adapter was found to contain multiple security flaws that let attackers abuse packet-processing logic from inside a guest VM. One issue, tracked as CVE-2020-2894, affects VirtualBox 6.1.0 and stems from improper validation in e1kInsertChecksum(), allowing checksum operations to read beyond a packet buffer and disclose adjacent memory. By manipulating checksum end offsets, an attacker in a guest can leak host-side data incrementally through the virtual NIC path.
A separate flaw, CVE-2019-2722, impacts VirtualBox 5.2.28 and earlier and 6.0.6 and earlier, where an integer underflow in e1kFallbackAddToFrame() can trigger a heap out-of-bounds write in host memory. An attacker with root or administrator privileges in the guest can craft transmit descriptors to corrupt host memory and potentially escape the VM to host ring 3. Both vulnerabilities were disclosed through Trend Micro Zero Day Initiative's Pwn2Own program, and Oracle released fixes through its security update process.
Timeline
Apr 30, 2020
Pwn2Own disclosure details VirtualBox e1kInsertChecksum info leak
STAR Labs published technical details for CVE-2020-2894, describing how improper checksum parameter validation in e1kInsertChecksum() let a guest VM read memory beyond a packet buffer. The issue was disclosed through Trend Micro Zero Day Initiative's Pwn2Own program.
Apr 30, 2020
Oracle releases April 2020 CPU fix for VirtualBox OOB read (CVE-2020-2894)
Oracle acknowledged CVE-2020-2894 and addressed it in its April 2020 Critical Patch Update advisory. The vulnerability in VirtualBox 6.1.0 allowed a guest VM to trigger an out-of-bounds read in the emulated E1000 adapter and leak host memory incrementally.
Mar 20, 2019
Oracle fixes VirtualBox E1000 integer underflow flaw (CVE-2019-2722)
Oracle acknowledged and released an update for CVE-2019-2722, a guest-to-host escape vulnerability in VirtualBox's emulated Intel PRO/1000 MT Desktop network device. The flaw affected VirtualBox 5.2.28 and earlier and 6.0.6 and earlier and was disclosed through the Pwn2Own program.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Oracle VirtualBox VBVA Flaws Enabled Guest-to-Host VM Escape
Researchers disclosed two **Oracle VirtualBox** vulnerabilities in the **VirtualBox Video Acceleration (VBVA)** component that could let an attacker escape from a guest VM and execute code in the host VirtualBox process. The flaws, tracked as `CVE-2020-2682` and `CVE-2020-2758`, affected the HGSMI-exposed graphics path used by guest systems, making the vulnerable functionality reachable from inside a virtual machine when video acceleration features were enabled. `CVE-2020-2682` was an out-of-bounds access caused by using a guest-controlled surface handle as an index without effective bounds enforcement in release builds, while `CVE-2020-2758` was a use-after-free tied to stale VGA surface pointers during guest-triggerable display resize operations. In both cases, crafted VBVA commands could corrupt memory in the host-side VirtualBox process and potentially achieve privilege escalation or full VM escape. Oracle addressed the issues in its **January 2020** and **April 2020 Critical Patch Update** advisories, respectively.
3 weeks ago
Oracle VirtualBox SVGA Flaws Let Privileged Windows Guests Trigger Host Out-of-Bounds Reads
Oracle patched two VirtualBox vulnerabilities in its SVGA graphics stack that could let a **privileged attacker inside a Windows guest** trigger out-of-bounds reads on the host. **`CVE-2020-2748`** affects VirtualBox `6.1.0 r135406` in the `VMSVGA/VBoxSVGA` video adapter path, where guest-controlled cursor update data can supply an unchecked screen identifier that is later used in `Display::i_displayVBVAReportCursorPosition`, causing an out-of-bounds access to `maFramebuffers[aScreenId]`. STAR Labs said the flaw was disclosed through ZDI and Oracle addressed it in its April 2020 security advisory. A separate bug, **`CVE-2019-3026`**, affects VirtualBox `6.0.4 r128413` and stems from improper validation of SVGA 3D commands in `vmsvgaFIFOLoop`. STAR Labs reported that a size-check macro failed to exit the intended switch block, allowing malformed command headers to bypass validation and trigger an integer underflow followed by an out-of-bounds read in `vmsvga3dShaderSetConst()`. Exploitation requires the attacker to already have high privileges in the guest, and for the VM to have **3D acceleration enabled**; Oracle fixed the issue in its October 2019 Critical Patch Update.
3 weeks ago
Oracle VirtualBox HDA Flaws Let Guest Attackers Crash Host-Side VM Processes
Oracle patched two vulnerabilities in VirtualBox `6.0.4` affecting the emulated Intel HD Audio (HDA) controller used by Windows guests. **CVE-2019-3002** allows a privileged attacker inside a guest to manipulate HDA stream control and related registers so that audio stream initialization hits a divide-by-zero condition, crashing the virtual machine. **CVE-2019-3005** stems from a crafted stream descriptor number sent to the emulated HDA CODEC, which can detach an existing stream and leave a sink pointer `NULL`, leading to a host-side NULL pointer dereference when that sink is later accessed. Both issues require the attacker to already have high-privileged code execution inside the guest and the VM to be configured with the default HDA audio controller. The flaws were reported to Oracle on 2019-09-11 and fixed in the vendor's October 2019 Critical Patch Update, with STAR Labs noting that the bugs could be triggered through guest-controlled audio stream parameters in the VirtualBox HDA implementation.
3 weeks ago