CVE (Common Vulnerabilities and Exposures) is a system to classify Vulnerabilities. The Vulnerability classified as CVE-2020-2703 is applicable to VirtualBox Hypervisor. The developed software makes possible to exploit the vulnerability and was acknowledged by the producer of the hypervisor (Oracle) as visible on the official page https://www.oracle.com/security-alerts/cpujan2020.html . The vulnerability affects the hypervisor and can be used to bypass security measures, such as execute code and subvert the system. The impacts are classified using the standard CVSS3 metric: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Which results in a "medium" risk, with a grade of 6.5/10. The exploit uses a newly introduced capability of VirtualBox, the possibility to pass PCIe devices directly to the virtual machine. The lack of correct privilege segmentation between the hypervisor and this possibility, gives to an attacker the capability to exploit the host. More information on the exploit can be found at: http://cs.unibo.it/~davide.berardi6/post/20200210-1.html and on the official CVE repositories: https://nvd.nist.gov/vuln/detail/CVE-2020-2703
Davide Berardi (2020). CVE-2020-2703.
CVE-2020-2703
Davide Berardi
Primo
Software
2020
Abstract
CVE (Common Vulnerabilities and Exposures) is a system to classify Vulnerabilities. The Vulnerability classified as CVE-2020-2703 is applicable to VirtualBox Hypervisor. The developed software makes possible to exploit the vulnerability and was acknowledged by the producer of the hypervisor (Oracle) as visible on the official page https://www.oracle.com/security-alerts/cpujan2020.html . The vulnerability affects the hypervisor and can be used to bypass security measures, such as execute code and subvert the system. The impacts are classified using the standard CVSS3 metric: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Which results in a "medium" risk, with a grade of 6.5/10. The exploit uses a newly introduced capability of VirtualBox, the possibility to pass PCIe devices directly to the virtual machine. The lack of correct privilege segmentation between the hypervisor and this possibility, gives to an attacker the capability to exploit the host. More information on the exploit can be found at: http://cs.unibo.it/~davide.berardi6/post/20200210-1.html and on the official CVE repositories: https://nvd.nist.gov/vuln/detail/CVE-2020-2703I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
