CVE-2020-14677: Oracle VirtualBox PCnet Time-Of-Check Time-Of-Use Privilege Escalation Vulnerability
First published: Wed Jul 15 2020(Updated: )
This vulnerability allows local attackers to escalate privileges on affected installations of Oracle VirtualBox. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the handling of Transmit Message Descriptors in the implementation of PCnet virtual network interfaces. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the hypervisor.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle VirtualBox | ||
| Oracle VM VirtualBox | <5.2.44 | |
| Oracle VM VirtualBox | >=6.0.0<6.0.24 | |
| Oracle VM VirtualBox | >=6.1.0<6.1.12 | |
| openSUSE | =15.1 | |
| openSUSE | =15.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00068.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00079.html
- https://security.gentoo.org/glsa/202101-09
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.zerodayinitiative.com/advisories/ZDI-20-893/
Frequently Asked Questions
What is CVE-2020-14677?
CVE-2020-14677 is a vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization that allows a high privileged attacker with logon to the infrastructure to escalate their privileges.
Which versions of Oracle VirtualBox are affected by CVE-2020-14677?
CVE-2020-14677 affects versions prior to 5.2.44, prior to 6.0.24, and prior to 6.1.12 of Oracle VirtualBox.
How severe is CVE-2020-14677?
CVE-2020-14677 has a severity value of 7.5, which is considered high.
How can the CVE-2020-14677 vulnerability be exploited?
Exploiting CVE-2020-14677 is difficult and requires a high privileged attacker with logon to the infrastructure where Oracle VirtualBox is installed.
Are there any references for CVE-2020-14677?
Yes, you can find more information about CVE-2020-14677 at the following references: [1](http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00068.html), [2](http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00079.html), [3](https://security.gentoo.org/glsa/202101-09).
- agent/type
- agent/references
- agent/weakness
- agent/author
- agent/title
- agent/severity
- agent/softwarecombine
- agent/first-publish-date
- agent/description
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-20-893
- alias/ZDI-CAN-10898
- alias/CVE-2020-14677
- agent/software-canonical-lookup
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/oracle
- canonical/oracle virtualbox
- canonical/oracle vm virtualbox
- version/oracle vm virtualbox/6.0.0
- version/oracle vm virtualbox/6.1.0
- vendor/opensuse
- canonical/opensuse
- version/opensuse/15.1
- version/opensuse/15.2