CVE-2019-2867: Oracle VirtualBox Out-Of-Bounds Write Privilege Escalation Vulnerability
First published: Tue Jul 23 2019(Updated: )
This vulnerability allows local attackers to escalate privileges on affected installations of Oracle VirtualBox. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the shader_get_registers_used function. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the hypervisor.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle VirtualBox | ||
| Oracle VM VirtualBox | >=5.0.0<5.2.32 | |
| Oracle VM VirtualBox | >=6.0.0<6.0.10 | |
| openSUSE Leap | =15.0 | |
| openSUSE Leap | =15.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.oracle.com/security-alerts/cpujul2019.html
- https://www.zerodayinitiative.com/advisories/ZDI-19-964/
- https://www.zerodayinitiative.com/advisories/ZDI-19-965/
- https://www.zerodayinitiative.com/advisories/ZDI-19-963/
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://security.gentoo.org/glsa/202101-09
Frequently Asked Questions
What is CVE-2019-2867?
CVE-2019-2867 is a vulnerability in Oracle VirtualBox that allows a high privileged attacker to escalate their privileges.
How does the Oracle VirtualBox Out-Of-Bounds Write Privilege Escalation Vulnerability (CVE-2019-2867) affect me?
If you are using Oracle VirtualBox versions prior to 5.2.32 or 6.0.10, you may be affected by this vulnerability.
How severe is the Oracle VirtualBox Out-Of-Bounds Write Privilege Escalation Vulnerability (CVE-2019-2867)?
The severity of CVE-2019-2867 is high, with a CVSS score of 8.2.
How can I fix the Oracle VirtualBox Out-Of-Bounds Write Privilege Escalation Vulnerability (CVE-2019-2867)?
To fix CVE-2019-2867, you should update your Oracle VirtualBox installation to version 5.2.32 or 6.0.10, depending on the affected version.
Where can I find more information about the Oracle VirtualBox Out-Of-Bounds Write Privilege Escalation Vulnerability (CVE-2019-2867)?
You can find more information about CVE-2019-2867 on the Oracle website and the Zero Day Initiative website.
- collector/zdi-advisory
- alias/ZDI-19-964
- alias/ZDI-CAN-8673
- alias/CVE-2019-2867
- alias/ZDI-19-965
- alias/ZDI-CAN-8674
- alias/ZDI-19-963
- alias/ZDI-CAN-8418
- collector/nvd-index
- agent/weakness
- agent/title
- agent/severity
- agent/references
- agent/author
- agent/tags
- agent/type
- agent/event
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- vendor/oracle
- canonical/oracle virtualbox
- canonical/oracle vm virtualbox
- version/oracle vm virtualbox/5.0.0
- version/oracle vm virtualbox/6.0.0
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.0
- version/opensuse leap/15.1