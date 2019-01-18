Zero-Day Threat Analysis by FortiGuard Labs Oracle VirtualBox is the world's most popular cross-platform virtualization product. The FortiGuard Labs team recently discovered on (December 6, 2018) a network Denial of Service (DoS) vulnerability in Oracle VirtualBox (CVE-2019-2527). This DoS vulnerability is caused by a crafted TCP session sent from a virtual machine (VM) that causes the NAT process on the host machine to crash and all the VMs in the same NAT network to lose their network connectivity.

This DoS vulnerability affects VirtualBox versions prior to 5.2.24 and 6.0.2. The DoS Vulnerability In VirtualBox, users can create their own NAT network in the settings and assign it to VMs. To demonstrate the zero-day DoS vulnerability, I will create a NAT Network called 'yzyNatNetwork' and assign it to three VMs that are running Windows 7, Ubuntu, and Kali.

Figure 1. Creating a NAT Network

Figure 2. Assigning the NAT Network to a VM

Figure 3. Assigning that same NAT Network to three different VMs

In Figure 3, the process VBoxNetNAT.exe running on the host machine is serving the NAT Network. It has three PIDs, which are 5148, 11472, and 7784. The PoC will generate a craft TCP session and send it out. Once we execute the PoC on one VM and send this TCP session through the NAT Network, the three processes of the VBoxNetNAT.exe on the host machine will crash. This will cause all the other VMs in the same NAT Network to lose network connectivity.

Figure 4. NAT Crash and Network DoS

The Demo I have created a demonstration video that walks through this zero-day vulnerability. You can watch that video here.