A critical security flaw in Oracle VM VirtualBox (CVE-2024-21113) has been patched after researchers discovered it could allow local attackers to escalate privileges and compromise hypervisor environments.
The vulnerability, rated 8.8 (HIGH) on the CVSS v3.1 scale, affects VirtualBox versions prior to 7.0.16.
Vulnerability DetailsThe flaw stems from improper access control in VirtualBoxβs Core component, enabling low-privileged attackers with local access to the host infrastructure to execute arbitrary code.
While exploitation requires initial access to the target system, successful attacks could fully compromise the hypervisor, potentially impacting other virtualized resources due to its scope-changing nature (S:C).
Security analysts highlight the weakness in the virtual OHCI USB controllerβs implementation, specifically a lack of proper locking mechanisms during object operations[Query Details].
This vulnerability allows attackers with high-privileged access on a guest system to manipulate the hypervisorβs memory and execute malicious code at the host level.
Oracle addressed the issue in VirtualBox 7.0.16, released April 16, 2024, as part of its Critical Patch Update. Organizations are urged to:
Immediately update all VirtualBox installations to 7.0.16 or laterRestrict host access to trusted users onlyIsolate VirtualBox environments from critical network segmentsMonitor for unusual activity in the virtualization infrastructureThe vulnerability was reported to Oracle on March 28, 2024, by researcher Dungdm (@_piers2) of Viettel Cyber Security[Query Details]. Oracleβs advisory confirms no active exploits were detected pre-patch, but the availability of a proof-of-concept on Zero Day Initiativeβs platform raises post-disclosure risks.
As a widely used cross-platform virtualization tool, VirtualBoxβs security gaps pose significant risks to development environments and enterprise infrastructure. Cybersecurity firm Snyk emphasizes the importance of rapid patching, noting the vulnerabilityβs potential to bypass critical security boundaries between guest and host systems.
This incident underscores the persistent challenges in securing virtualization layers, where a single vulnerability can cascade across multiple systems. Oracleβs prompt response and the coordinated disclosure timeline demonstrate improved industry practices, but administrators must remain vigilant against evolving hypervisor-targeted threats.