Zero-Day Threat Analysis by FortiGuard Labs
Oracle VirtualBox is the world’s most popular cross-platform virtualization product. The FortiGuard Labs team recently discovered on (December 6, 2018) a network Denial of Service (DoS) vulnerability in Oracle VirtualBox (CVE-2019-2527). This DoS vulnerability is caused by a crafted TCP session sent from a virtual machine (VM) that causes the NAT process on the host machine to crash and all the VMs in the same NAT network to lose their network connectivity.
This DoS vulnerability affects VirtualBox versions prior to 5.2.26 and 6.0.4.
The DoS Vulnerability
In VirtualBox, users can create their own NAT network in the settings and assign it to VMs. To demonstrate the zero-day DoS vulnerability, I will create a NAT Network called “yzyNatNetwork” and assign it to three VMs that are running Windows 7, Ubuntu, and Kali.
In Figure 3, the process VBoxNetNAT.exe running on the host machine is serving the NAT Network. It has three PIDs, which are 5148, 11472, and 7784.
The PoC will generate a craft TCP session and send it out. Once we execute the PoC on one VM and send this TCP session through the NAT Network, the three processes of the VBoxNetNAT.exe on the host machine will crash. This will cause all the other VMs in the same NAT Network to lose network connectivity.
I have created a demonstration video that walks through this zero-day vulnerability. You can watch that video here.
All users of vulnerable versions of Oracle VirtualBox are encouraged to upgrade to the latest VirtualBox version or apply the latest patches immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the following signature:
Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.