Oracle VirtualBox's emulated Intel PRO/1000 MT Desktop (E1000) network adapter was found to contain multiple security flaws that let attackers abuse packet-processing logic from inside a guest VM. One issue, tracked as CVE-2020-2894, affects VirtualBox 6.1.0 and stems from improper validation in e1kInsertChecksum(), allowing checksum operations to read beyond a packet buffer and disclose adjacent memory. By manipulating checksum end offsets, an attacker in a guest can leak host-side data incrementally through the virtual NIC path.
A separate flaw, CVE-2019-2722, impacts VirtualBox 5.2.28 and earlier and 6.0.6 and earlier, where an integer underflow in e1kFallbackAddToFrame() can trigger a heap out-of-bounds write in host memory. An attacker with root or administrator privileges in the guest can craft transmit descriptors to corrupt host memory and potentially escape the VM to host ring 3. Both vulnerabilities were disclosed through Trend Micro Zero Day Initiative's Pwn2Own program, and Oracle released fixes through its security update process.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
STAR Labs published technical details for CVE-2020-2894, describing how improper checksum parameter validation in e1kInsertChecksum() let a guest VM read memory beyond a packet buffer. The issue was disclosed through Trend Micro Zero Day Initiative's Pwn2Own program.
Oracle acknowledged CVE-2020-2894 and addressed it in its April 2020 Critical Patch Update advisory. The vulnerability in VirtualBox 6.1.0 allowed a guest VM to trigger an out-of-bounds read in the emulated E1000 adapter and leak host memory incrementally.
Oracle acknowledged and released an update for CVE-2019-2722, a guest-to-host escape vulnerability in VirtualBox's emulated Intel PRO/1000 MT Desktop network device. The flaw affected VirtualBox 5.2.28 and earlier and 6.0.6 and earlier and was disclosed through the Pwn2Own program.
A GitHub repository titled "virtualbox_e1000_0day" was published with technical material for a VirtualBox E1000 guest-to-host escape vulnerability. The publication appears to predate Oracle's later fix for CVE-2019-2722 and marks an earlier public disclosure of the issue.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
starlabs.sg
Open sourcezerodayinitiative.com
Open sourcezerodayinitiative.com
Open sourcegithub.com
Open sourcestarlabs.sg
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.