E1000 guest to host escape

Bug #1809156 reported by Martin Konrad on 2018-12-19
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
virtualbox (Ubuntu)
High
Eduardo dos Santos Barretto
Trusty
High
Unassigned
Xenial
High
Unassigned
Bionic
High
Unassigned
Cosmic
High
Unassigned
virtualbox-lts-xenial (Ubuntu)
Trusty
High
Unassigned

Bug Description

Looks like VirtualBox <=5.2.20 is vulnerable:

https://github.com/MorteNoir1/virtualbox_e1000_0day

I'm not a security expert but this looks serious to me. cosmic is still shipping 5.2.18. Are there any plans to upgrade to 5.2.22 or patch this?

According to my understanding the following patch fixes the issue:

https://www.virtualbox.org/changeset/75330/vbox

Have you considered adding this to the patch queue? Let me know if you want me to prepare a MR.

P.S.: Although this is all over the Internet it seems like Oracle is keeping this quiet [1]. No hint that this commit fixes a security issue, no mention in the change log [2]. As far as I can tell not even a CVE number has been assigned.

[1] https://forums.virtualbox.org/viewtopic.php?f=1&t=90235&p=433202&hilit=mortenoir1#p433237
[2] https://www.virtualbox.org/wiki/Changelog-5.2#v22

CVE References

Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security

The attached debdiff should fix the issue. Note that the build of the binary packages fails on my machine (even before applying the fix) so I wasn't able to take it for a test drive.

Seth Arnold (seth-arnold) wrote :

Thanks Martin; someone will probably give this a good look next week. In the meantime, I noticed that the patch doesn't indicate who authored the patch or where it came from -- could you amend the debdiff to include an URL where the upstream patch could be compared? (Best is to use the dep-3 tags: https://dep-team.pages.debian.net/deps/dep3/ )

Thanks

information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in virtualbox (Ubuntu):
status: New → Confirmed

The attachment "virtualbox_5.2.18-dfsg-3.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch

Hi Martin,

Thanks for providing a debdiff!

I've done some slight changes to it so it could be applied to bionic.

We built it on our PPA, could please test it?
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

We will be uploading to that same PPA a new version for cosmic as well.

Thanks,
Eduardo

Changed in virtualbox (Ubuntu):
assignee: nobody → Eduardo dos Santos Barretto (ebarretto)
Changed in virtualbox (Ubuntu):
status: Confirmed → In Progress
importance: Undecided → High

The package seems to work correctly. Note however that I had to confirm to downgrade when installing the package on cosmic. Turns out something is wrong with the version numbers in the changelog file:

$ zgrep virtualbox /usr/share/doc/virtualbox/changelog.Debian.gz | head -3
virtualbox (5.2.18-dfsg-2~ubuntu18.04.2) bionic-security; urgency=medium
virtualbox (5.2.18-dfsg-2~ubuntu18.04.1) bionic; urgency=medium
virtualbox (5.2.18-dfsg-2) unstable; urgency=medium

$ dpkg --compare-versions 5.2.18-dfsg-2~ubuntu18.04.1 lt 5.2.18-dfsg-2~ubuntu18.04.2 && echo OK || echo NOK
OK
$ dpkg --compare-versions 5.2.18-dfsg-2 lt 5.2.18-dfsg-2~ubuntu18.04.1 && echo OK || echo NOK
NOK
$ dpkg --compare-versions 5.2.18-dfsg-2 lt 5.2.18-dfsg-2~ubuntu18.04.2 && echo OK || echo NOK
NOK

Seems like this mistake crept into the previous version. We probably can't fix the previous version number anymore but I would suggest to use 5.2.18-dfsg-3~ubuntu18.14.1 for this release to ensure the package actually gets installed on our user's machines.

Thanks for testing!!

Great catch on the versioning.

It actually needs to be 5.2.18-dfsg-2ubuntu18.14.2 (it could also be 5.2.18-dfsg-2ubuntu18.14.1, but I think this will be confusing for those who check the changelog).

It can't be 5.2.18-dfsg-3~ubuntu18.14.1 because that would mean that we are based on 5.2.18-dfsg-3 (which is probably a valid version on Debian that is newer than what we have currently).

I will let you know again when bionic and cosmic hit the PPA.

Thanks

Hello, the patch looks correct

@ebarretto I would prefer it to be called something like:
5.2.18-dfsg-3~ubuntu18.04.2 instead, just bumping the last number.

trusty: 4.3.36-dfsg-1+deb8u1ubuntu1.14.04.1 -> 4.3.36-dfsg-1+deb8u1ubuntu1.14.04.2
xenial: 5.1.38-dfsg-0ubuntu1.16.04.1 -> 5.1.38-dfsg-0ubuntu1.16.04.2
bionic: 5.2.18-dfsg-2~ubuntu18.04.1 -> 5.2.18-dfsg-2~ubuntu18.04.2
cosmic: 5.2.18-dfsg-2 -> 5.2.18-dfsg-2ubuntu18.10.1

thanks!
I'll provide debdiffs shortly

trusty debdiff

xenial debdiff

bionic debdiff

cosmic debdiff

Hi Giangranco,

Thanks for providing debdiffs for the trusty and xenial!

Regarding the version on bionic, it will be 5.2.18-dfsg-2ubuntu18.04.2.

It is possible that the current version 5.2.18-dfsg-2~ubuntu18.04.1 is not installed on some systems.

5.2.18-dfsg-2ubuntu18.04.2 will supersede 5.2.18-dfsg-2 (if anyone still have it installed) and will supersede 5.2.18-dfsg-2~ubuntu18.04.1 (incorrect version number).

That way no one will miss the update and/or be asked to downgrade.

It can be found currently here:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=virtualbox

For cosmic we are still working on it because of jdk issues found.

I will provide de updates for trusty and xenial.

Thanks!

>5.2.18-dfsg-2ubuntu18.04.2 will supersede 5.2.18-dfsg-2 (if anyone still have it installed) and will supersede 5.2.18-dfsg-2~ubuntu18.04.1 (incorrect version number).

the version number is *not* incorrect.
it has been used as "backport", because cosmic had the same version, so it was used to maintain the correct upgrade path.

I still think my versioning is correct.

>It is possible that the current version 5.2.18-dfsg-2~ubuntu18.04.1 is not installed on some systems.

how?

5.2.18-dfsg-2~ubuntu18.04.1 updates (multiverse) 2018-11-26
5.2.10-dfsg-6 release (multiverse) 2018-04-27

it should be there, and in any case, 5.2.18-dfsg-2~ubuntu18.04.2 will guarantee the upgrade path from bionic/release, previous ubuntu releases, and upgrades to cosmic release/updates.

Hi Gianfranco,

>It is possible that the current version 5.2.18-dfsg-2~ubuntu18.04.1 is not installed on some systems.
>> how?

I was wondering if anyone had version 5.2.18-dfsg-2 installed and didn't do updates ever since, but this is a rare case.

>>5.2.18-dfsg-2~ubuntu18.04.1 updates (multiverse) 2018-11-26
>>5.2.10-dfsg-6 release (multiverse) 2018-04-27
>>
>>it should be there, and in any case, 5.2.18-dfsg-2~ubuntu18.04.2 will guarantee the upgrade path from bionic/release, previous ubuntu releases, and upgrades to cosmic release/updates.

Since you already did the checking that 5.2.18-dfsg-2 is not available any more in the archives we can go with your version for sure, that's not a problem.

Sorry if I it sounded harsh when I said it was incorrect, just wanted to point at possible update problems if a user still had the 5.2.18-dfsg-2 version installed.

Do you want me to provide the update, or do you want to do it since you're the current maintainer of virtualbox?

Also, did you have trouble with virtualbox on cosmic? With the lack of wsimport (openjdk-11 change), it is almost impossible to build the project right now.

Hello Eduardo:
I was wondering if anyone had version 5.2.18-dfsg-2 installed and didn't do updates ever since, but this is a rare case.

that version is the base in cosmic, so if anybody has it installed is not on xenial anymore...
please don't make confusion between 5.0.18 and 5.2.18 :)
If you look carefully, all the virtualbox history is self consistent between and across supported and unsupported Ubuntu releases.

Of course mistakes can happen, and in case they do, please tell me exactly which version and which pocket you are referring to, and I'll have a look :)

>Sorry if I it sounded harsh when I said it was incorrect, just wanted to point at possible update >problems if a user still had the 5.2.18-dfsg-2 version installed.

this is my fault, I just had no time to fix this serious issue before (basically vbox 6 is taking all my time), so I don't re-read my posts :)

>Also, did you have trouble with virtualbox on cosmic? With the lack of wsimport (openjdk-11 change), >it is almost impossible to build the project right now.

java is a sad thing, since the begin :P
there are two kind of people:
1) people who have problem with java
2) people who never used it :)

(attached a revised cosmic patch)
For the upload, feel free to go ahead, I'm not part of security team, I don't think I can upload there...

I'll upload the test builds here:
https://launchpad.net/~costamagnagianfranco/+archive/ubuntu/locutusofborg-ppa

did I already say how java makes our life look sad?

new revision attached.

It truly does!

Thanks for the debdiffs.
Regarding trusty, my colleague mentioned that you will do a version update, does it include this fix or should I update trusty anyway?

Thanks again

for trusty, as you wish! my update is based on this one, so better go ahead with this fix and wait for the other to land later, or go ahead with the other and avoid this upload, as you want!

the 4.3.40 update contains this fix, so you can use the approach you prefer.

I would say since this is mostly a no-change upload, we can make this one reach security, and then take our time for the "big update to 4.3.40", so in case of regressions in the big one, we will have a stable baseline with this CVE fixed.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox - 5.2.18-dfsg-2ubuntu18.10.1

---------------
virtualbox (5.2.18-dfsg-2ubuntu18.10.1) cosmic-security; urgency=medium

  * debian/patches/fix-for-guest-to-host-escape-vulnerability.patch:
    - Apply patch for guest-to-host escape vulnerability (LP: #1809156)
    - CVE-2018-3294
  * cherry-pick build fix by using java8 (from 5.2.20 Debian uploads)
    - use java8 again, java11 removes wsimport, useful to have the build finish.

 -- Martin Konrad <email address hidden> Wed, 26 Dec 2018 19:41:57 -0500

Changed in virtualbox (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox - 4.3.36-dfsg-1+deb8u1ubuntu1.14.04.2

---------------
virtualbox (4.3.36-dfsg-1+deb8u1ubuntu1.14.04.2) trusty-security; urgency=medium

  * debian/patches/fix-for-guest-to-host-escape-vulnerability.patch:
    - Apply patch for guest-to-host escape vulnerability (LP: #1809156)
    - CVE-2018-3294

 -- Martin Konrad <email address hidden> Wed, 26 Dec 2018 19:41:57 -0500

Changed in virtualbox (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox - 5.2.18-dfsg-2~ubuntu18.04.3

---------------
virtualbox (5.2.18-dfsg-2~ubuntu18.04.3) bionic-security; urgency=medium

  * debian/patches/fix-for-guest-to-host-escape-vulnerability.patch:
    - Apply patch for guest-to-host escape vulnerability (LP: #1809156)
    - CVE-2018-3294

 -- Martin Konrad <email address hidden> Wed, 26 Dec 2018 19:41:57 -0500

Changed in virtualbox (Ubuntu):
status: In Progress → Fix Released

Hello Martin, or anyone else affected,

Accepted virtualbox-lts-xenial into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/virtualbox-lts-xenial/4.3.36-dfsg-1+deb8u1ubuntu1.14.04.1~14.04.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-trusty
Changed in virtualbox (Ubuntu Cosmic):
status: New → Fix Released
importance: Undecided → High
Changed in virtualbox (Ubuntu Trusty):
status: New → Fix Released
Changed in virtualbox (Ubuntu Bionic):
status: New → Fix Released
Changed in virtualbox (Ubuntu Trusty):
importance: Undecided → High
Changed in virtualbox (Ubuntu Bionic):
importance: Undecided → High
no longer affects: virtualbox-lts-xenial (Ubuntu)
no longer affects: virtualbox-lts-xenial (Ubuntu Bionic)
no longer affects: virtualbox-lts-xenial (Ubuntu Cosmic)
Changed in virtualbox-lts-xenial (Ubuntu Trusty):
status: New → Fix Committed
importance: Undecided → High

I confirm the patch is there, the package build and the packaging is in sync with vbox trusty now.

the CVE is probably not exploitable with lts-xenial because only guest tools are built, so the verification is not useful/possible.

tags: added: verification-done verification-done-trusty
removed: verification-needed verification-needed-trusty
Changed in virtualbox (Ubuntu Xenial):
importance: Undecided → High
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox-lts-xenial - 4.3.36-dfsg-1+deb8u1ubuntu1.14.04.1~14.04.6

---------------
virtualbox-lts-xenial (4.3.36-dfsg-1+deb8u1ubuntu1.14.04.1~14.04.6) trusty; urgency=medium

  * debian/patches/fix-for-guest-to-host-escape-vulnerability.patch:
    - Apply patch for guest-to-host escape vulnerability (LP: #1809156)
    - CVE-2018-3294

 -- Gianfranco Costamagna <email address hidden> Mon, 11 Mar 2019 17:54:59 +0100

Changed in virtualbox-lts-xenial (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for virtualbox-lts-xenial has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers