![]() Unfortunately in this case I didn’t manage to get an exploit together in time for the Pwn2Own contest, so I ended up reporting the first two to the Zero Day Initiative and the checksum bug to Oracle directly.” wrote Van Amerongenīusinesses and organizations are recommended to update their VirtualBox installations to the latest version as soon as possible. While most public research has been focused on their main components, such as ring buffers, offloads don’t appear to have had as much scrutiny. “Offload support is commonplace in modern network devices so it’s only natural that virtualization software emulating devices does it as well. The flaws are caused by the lack of proper validation of user input data, their exploitation can allow an attacker to escalate privileges and execute arbitrary code on the a vulnerable Oracle VM VirtualBox.īoth issues affect versions before 6.1.20 and have been addressed addressed by Oracle in April 2021. The CVE-2021-2145 is an integer underflow privilege escalation vulnerability in Oracle VirtualBox NAT, while the CVE-2021-2310 is a heap-based buffer overflow privilege escalation vulnerability in Oracle VirtualBox NAT. The CVE-2021-2442 vulnerability was addressed by Oracle in July with the release of Critical Patch Update.Īmerongen also discovered other two vulnerabilities tracked as CVE-2021-2145 and CVE-2021-2310 respectively. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox.” reads the advisory published by NIST. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. “Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. In some instances, it can also be used to remotely DoS other Virtualbox VMs! /Ir9YQgdZQ7- maxpl0it August 1, 2021 Report a bug or suggest an enhancement For further API reference and developer documentation see the Java SE Documentation, which contains more detailed, developer-targeted descriptions with conceptual overviews, definitions of terms, workarounds, and working code examples. Works as both an OOB read in the host process, as well as an integer underflow. an AccessibleBoxFiller that serves as the AccessibleContext of this Box.Filler. ![]() Got another Virtualbox vuln fixed (CVE-2021-2442)
0 Comments
Leave a Reply. |