Threat Research

Oracle VirtualBox NAT Network DoS Vulnerability

By Zhouyuan Yang | January 31, 2019

Zero-Day Threat Analysis by FortiGuard Labs

 

Oracle VirtualBox is the world’s most popular cross-platform virtualization product. The FortiGuard Labs team recently discovered on (December 6, 2018) a network Denial of Service (DoS) vulnerability in Oracle VirtualBox (CVE-2019-2527). This DoS vulnerability is caused by a crafted TCP session sent from a virtual machine (VM) that causes the NAT process on the host machine to crash and all the VMs in the same NAT network to lose their network connectivity.

This DoS vulnerability affects VirtualBox versions prior to 5.2.26 and 6.0.4.

The DoS Vulnerability

In VirtualBox, users can create their own NAT network in the settings and assign it to VMs. To demonstrate the zero-day DoS vulnerability, I will create a NAT Network called “yzyNatNetwork” and assign it to three VMs that are running Windows 7, Ubuntu, and Kali.

Figure 1. Creating a NAT Network
Figure 2. Assigning the NAT Network to a VM
Figure 3. Assigning that same NAT Network to three different VMs

In Figure 3, the process VBoxNetNAT.exe running on the host machine is serving the NAT Network. It has three PIDs, which are 5148, 11472, and 7784.

The PoC will generate a craft TCP session and send it out. Once we execute the PoC on one VM and send this TCP session through the NAT Network, the three processes of the VBoxNetNAT.exe on the host machine will crash. This will cause all the other VMs in the same NAT Network to lose network connectivity.

Figure 4. NAT Crash and Network DoS

The Demo

I have created a demonstration video that walks through this zero-day vulnerability. You can watch that video here.

 

Solution

All users of vulnerable versions of Oracle VirtualBox are encouraged to upgrade to the latest VirtualBox version or apply the latest patches immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the following signature:

Oracle.VirtualBox.NatCrash.DoS

Read more: Fortinet Discovers Oracle VirtualBox Denial of Service Vulnerability

 

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief. 

Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.