Hello, welcome to the Thursday, November 8, 2018 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

If you're using Oracle's virtual box, be aware there is a new Saturday exploit available

that will allow a guest to break out

and execute code on the host. The problem here is the virtual Intel E-1000 network card

that's being immolated in Virtual Box. If it's configured in Nat mode, which is quite common, then you will be subject

to an integer overflow that can then be leveraged for a buffer overflow.

A blog post with details about this vulnerability, proof of concept code, and also a video

demo of the exploit has been made available by a Russian

researcher. In order to exploit this vulnerability, the attacker has to first replace the

network car driver in the guest. Now, the attacker does need root access inside a guest to accomplish that. But again,

remember, we're talking about a virtual machine escape and it's very typical that you're using

virtual machines in order to keep users apart from each other, even if they have root access

to their individual virtual machines.

Now, with a successful exploit, the attacker then gains user access to the host.

Not necessarily root access, another privilege escalation exploit would be required to accomplish that.

As far as countermeasures go, there is no patch available yet. Oracle

was not notified ahead of the release of this blog post and exploit. However, you could switch

to a different network card or you could not use Nat mode. The first is probably easier than the later, but it may require

that you're loading the right drivers and such in your virtual machines, so not necessarily easy

to just switch over. And while the exploit was only demonstrated on Ubuntu Linux running

within the guest, this is a vulnerability in Virtual Box, not in Ubuntu Linux running within the guest.

...