Freely subscribe to our NEWSLETTER

Oracle VM VirtualBox – virtualisation software that manages virtual machines – allows users to run multiple guest operating systems (like Windows, Mac OS X, Linux, or Oracle Solaris) on a single host. This means users can run software written for one OS on another, such as Windows software on Linux or a Mac, without having to reboot to use it.

In summary:

• SentinelLabs noticed that the function used for sending packets from the guest to the network contained a separate code path for Generic Segmentation Offload (GSO) frames and was using memcpy to combine pieces of data.

• After going through various code paths and writing a simple Python-based constraint solver for all the limiting factors, SentinelLabs researchers found they could control more than they expected when using the Paravirtualization Network device called VirtIO.

• Vulnerability analysis:
o CVE-2021-2145 - Oracle VirtualBox NAT Integer Underflow Privilege Escalation Vulnerability

If the supplied size is larger than the largest allocation size [MJUM16BYTES (0x4000 bytes)], a bucket size of 0x800 is selected for the allocation. Since the actual data size is larger, this results in a heap overflow.
o CVE-2021-2310 - Oracle VirtualBox NAT Heap-based Buffer Overflow Privilege Escalation Vulnerability

Whenever a function called PDMNetGsoIsValid verifies whether the GSO parameters supplied by the guest are valid, it’s placed in an assertion. Assertions like these aren’t compiled in the release build, resulting in invalid GSO parameters being allowed. A miscalculation can be caused for the size, overflowing the allocated region.
o CVE-2021-2442 - Oracle VirtualBox NAT UDP Header Out-of-Bounds

GSO isn’t the only vulnerable offload mechanism in place here. Another offload mechanism is vulnerable too: Checksum Offload. A function called RTNetUDPChecksum is where the vulnerability is. It’s also possible to use this vulnerability to cause a denial-of-service against other VMs in the network.