Technical Details Released for CVE-2024-21115 Vulnerability Reported in VM VirtualBox
Technical details have emerged about a significant security vulnerability, CVE-2024-21115, which has been discovered in Oracle VM VirtualBox, a widely used product under Oracle Virtualization. This flaw can lead to the complete takeover of the VirtualBox environment.
CVE-2024-21115 is an out-of-bounds (OOB) write vulnerability that impacts Oracle VM VirtualBox versions before 7.0.16. The vulnerability can be exploited by an attacker with low-level privileges who has logon access, making it a particularly concerning threat for environments where multiple users access the virtualization infrastructure. The vulnerability carries a CVSS 3.1 base score of 8.8, indicating a high level of severity affecting the confidentiality, integrity, and availability of the system.
Because VirtualBox is often used to run multiple virtual machines on a single host system, a successful exploit could potentially open the door to compromising other software running within those virtual machines.
Pwn2Own Vancouver 2024 (ZDI)
The flaw was initially discovered by security researcher Cody Gallagher during the Pwn2Own Vancouver 2024 competition, where he successfully demonstrated the exploit and received a $20,000 reward for his findings. Gallagher recently published a detailed write-up on the vulnerability, explaining the technical nuances and the conditions under which the bug can be triggered.
According to Gallagher’s research, the core of the vulnerability lies in the vgaR3DrawBlank function, which is called from vgaR3UpdateDisplay. The flaw involves a relatively bit clear on the heap from the VGA device, and it can be triggered with as little as a single processor core and 32MB of VRAM, using the default graphics controller for Linux (VMSVGA). Gallagher’s findings suggest that the vulnerability may also affect other graphics controllers, pointing to a broader impact than initially assessed.
Oracle has responded to this critical vulnerability by releasing a patch in April, with updates in VirtualBox version 7.0.16 and later. Users of Oracle VM VirtualBox are strongly urged to update their systems to the latest version to prevent potential exploits. Given the nature of the vulnerability and its ease of exploitation, all affected systems must be updated immediately to safeguard against possible attacks.
