Oracle issues patches for 10 ‘virtual machine escape’ flaws in VirtualBox
Enterprise tech giant Oracle released a collection of critical security patches this month to address 10 exploitable vulnerabilities in VirtualBox.
Both popular and powerful, VirtualBox is Oracle’s hypervisor, which allows users to run virtual machines on a user’s host operating system.
Affecting anyone using VirtualBox, the “easily exploitable” vulnerabilities allow a hacker to stage a “virtual machine escape” and attack the host operating system, TechRepublic reports.
The vulnerabilities are found in the core graphics framework that is mirrored between the host and guest machine. It affects all host operating systems, according to SecuriTeam. You can find an extensive and technical write-up of the exploits here.
The vulnerability in mirrored memory allows attackers to exploit the host operating system from the virtual machine.
This particular vulnerability, CVE-2018-2698, was found by independent security researcher Niklas Baumstark via Beyond Security’s SecuriTeam.
After Oracle issued patches and an announcement, Baumstark outlined the problems on Twitter:
Oracle has a full list of vulnerabilities addressed by the January patches including patches addressing the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Intel processor vulnerabilities. Oracle is monitoring the performance impact of the patches in much the same way that other major vendors, including Amazon and Microsoft, are doing.
Oracle urges all VirtualBox users to apply the latest patches.