Industry Trends

Oracle VirtualBox Remote Display Server DoS Vulnerability Disclosed by FortiGuard Labs

By Peixue Li | October 30, 2015
Overview
Oracle VirtualBox is a powerful, freely available Type 2 hypervisor that runs on Windows, Mac, Linux, and Solaris operating systems. It is used in both enterprise and prosumer settings. Although it doesn’t enjoy the enterprise market share of VMware and Microsoft Hyper-V, its free availability and flexibility make it a popular choice for test and development environments.
 
Researchers at FortiGuard Labs have discovered a remote denial of service (DoS) vulnerability (CVE-2015-4896) in the VirtualBox Remote Display Server, caused by insufficient validation of a malformed message. This can lead to an unexpected error in the VirtualBox Remote Display Server which can lead to the DoS.
 
As Oracle points out in their advisory, only virtual machines with the Remote Display feature (RDP) enabled are impacted by this vulnerability. However, authentication is not required to successfully launch the DoS attack.
 
Analysis
The following screenshot shows the malformed packet:
 
When we dissect the payload, we find:
 
As you can see, the attack packet contains a malformed T125:MCSConnect Initial message. VirtualBox Remote Display Server does not properly validate it so that the VirtualBox Remote Display Server stops serving new connection. The malformed message contains an invalid BER length in MaximumParameters. The normal BER length should be 0x1C, but the malformed BER length in the packet is 0x3B. 
 
Mitigation
Users of VirtualBox prior to version 4.0.34, 4.1.42, 4.2.34, 4.3.32, and/or 5.0.8 should apply the latest Oracle Critical Patch for their version.
 
Networks and users who have deployed Fortinet IPS are automatically protected from this vulnerability by IPS Signature Oracle.VirtualBox.Remote.Display.Server.DoS.
 
Thanks to the FortiGuard Labs team for discovering this vulnerability.

Join the Discussion