VirtualBox 0-day bug released

A security researcher released the details of a VirtualBox vulnerability that affects VirtualBox 5.2.20 and earlier versions. 

Security researcher Sergey Zelenyuk described the VirtualBox E1000 Guest-to-Host Escape vulnerability details and exploit in a GitHub blog post.

Attackers can escape the virtual (or guest) machine in order to gain access to the underlying host operating system dubbed “Guest-to-Host Escape.”

“The exploit is Linux kernel module (LKM) to load in a guest OS. The Windows case would require a driver differing from the LKM just by an initialization wrapper and kernel API calls,” Zelenyuk said. 

He also appeared to be disgruntled over how companies handle their bug bounty programs. He said he released the 0-day exploit over his “disagreement with contemporary state of infosec, especially of security research and bug bounty.”

Leave a Reply