it.ucsf.edu

Security Update:VM escape in Oracle VirtualBox

Status Type

Security Update

Date and Time

Wednesday, November 14, 2018 - 11:30

Reason

Security Update

Impact

VirtualBox users

WHAT HAPPENED

A security researcher has published details of a vulnerability in Oracle’s VirtualBox virtualization software which can allow malicious code running inside a virtual machine (VM) to execute code on the host operating system.

 

Advanced Users: For a description of the vulnerabilities and affected systems, visit:

 

AFFECTED SYSTEMS:

The vulnerability requires the following conditions:

  • VirtualBox 5.2.20 and earlier versions
  • The use of a default virtual network device and mode for VirtualBox VMs. Specifically, an Intel Pro/1000MT Desktop (82540EM) virtual network device in NAT mode inside the guest OS.
  • Any guest OS inside the VirtualBox VM
  • Any underlying OS hosting VirtualBox

 

WHAT’S THE PROBLEM?

Virtual Machines (VMs) are frequently used to isolate applications that are untrusted or suspected of being malicious. Malicious code run inside a VM could “escape” the constraints of the VM and then execute arbitrary code on the host OS.

 

WHAT DO I NEED TO DO?

  • Update VirtualBox to 5.2.22 or later as soon as possible.
  • If you cannot update VirtualBox, change the virtual network card inside VirtualBox VMs to something other than Intel Pro/1000 MT Desktop (82540EM)
    If you cannot change the virtual network card, change the mode from NAT to another mode.
  • Consider using VMware instead of VirtualBox. Current UCSF students, staff and faculty can use VMware software for educational, instructional and non-commercial research purposes.

 

RELATED LINKS