CVE (Common Vulnerabilities and Exposures) is a system to classify Vulnerabilities. The Vulnerability classified as CVE-2020-2703 is applicable to VirtualBox Hypervisor. The developed software makes possible to exploit the vulnerability and was acknowledged by the producer of the hypervisor (Oracle) as visible on the official page https://www.oracle.com/security-alerts/cpujan2020.html . The vulnerability affects the hypervisor and can be used to bypass security measures, such as execute code and subvert the system. The impacts are classified using the standard CVSS3 metric: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Which results in a "medium" risk, with a grade of 6.5/10. The exploit uses a newly introduced capability of VirtualBox, the possibility to pass PCIe devices directly to the virtual machine. The lack of correct privilege segmentation between the hypervisor and this possibility, gives to an attacker the capability to exploit the host. More information on the exploit can be found at: http://cs.unibo.it/~davide.berardi6/post/20200210-1.html and on the official CVE repositories: https://nvd.nist.gov/vuln/detail/CVE-2020-2703

CVE-2020-2703

Davide Berardi
2020-01-01

Abstract

CVE (Common Vulnerabilities and Exposures) is a system to classify Vulnerabilities. The Vulnerability classified as CVE-2020-2703 is applicable to VirtualBox Hypervisor. The developed software makes possible to exploit the vulnerability and was acknowledged by the producer of the hypervisor (Oracle) as visible on the official page https://www.oracle.com/security-alerts/cpujan2020.html . The vulnerability affects the hypervisor and can be used to bypass security measures, such as execute code and subvert the system. The impacts are classified using the standard CVSS3 metric: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Which results in a "medium" risk, with a grade of 6.5/10. The exploit uses a newly introduced capability of VirtualBox, the possibility to pass PCIe devices directly to the virtual machine. The lack of correct privilege segmentation between the hypervisor and this possibility, gives to an attacker the capability to exploit the host. More information on the exploit can be found at: http://cs.unibo.it/~davide.berardi6/post/20200210-1.html and on the official CVE repositories: https://nvd.nist.gov/vuln/detail/CVE-2020-2703
2020
Cyber Security
VirtualBox
Virtualization
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.12606/10318
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
social impact