Security Update:VM escape in Oracle VirtualBox
Date and Time
A security researcher has published details of a vulnerability in Oracle’s VirtualBox virtualization software which can allow malicious code running inside a virtual machine (VM) to execute code on the host operating system.
Advanced Users: For a description of the vulnerabilities and affected systems, visit:
- VirtualBox zero-day published by disgruntled researcher
- Researcher Drops Oracle VirtualBox Zero-Day
- Ranting researcher publishes VM-busting zero-day without warning
The vulnerability requires the following conditions:
- VirtualBox 5.2.20 and earlier versions
- The use of a default virtual network device and mode for VirtualBox VMs. Specifically, an Intel Pro/1000MT Desktop (82540EM) virtual network device in NAT mode inside the guest OS.
- Any guest OS inside the VirtualBox VM
- Any underlying OS hosting VirtualBox
WHAT’S THE PROBLEM?
Virtual Machines (VMs) are frequently used to isolate applications that are untrusted or suspected of being malicious. Malicious code run inside a VM could “escape” the constraints of the VM and then execute arbitrary code on the host OS.
WHAT DO I NEED TO DO?
- Update VirtualBox to 5.2.22 or later as soon as possible.
- If you cannot update VirtualBox, change the virtual network card inside VirtualBox VMs to something other than Intel Pro/1000 MT Desktop (82540EM)
If you cannot change the virtual network card, change the mode from NAT to another mode.
- Consider using VMware instead of VirtualBox. Current UCSF students, staff and faculty can use VMware software for educational, instructional and non-commercial research purposes.
- IT Security at https://it.ucsf.edu/security
- VMware Academic Program Subscription at https://it.ucsf.edu/services/vmware-academic-program-subscription