Login Sign Up

CVE-2021-35538

7.8 HIGH

📋 TL;DR

This vulnerability in Oracle VM VirtualBox allows a low-privileged local attacker to gain full control of the virtualization software, potentially compromising all virtual machines. It affects VirtualBox installations on non-Windows systems running versions prior to 6.1.28. The attacker must have local access to the host system where VirtualBox is installed.

💻 Affected Systems

Products:
  • Oracle VM VirtualBox
Versions: All versions prior to 6.1.28
Operating Systems: Linux, macOS, Solaris, Other Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: This vulnerability does NOT affect Windows systems. Only affects non-Windows platforms where VirtualBox is installed.

📦 What is this software?

Vm Virtualbox by Oracle

View all CVEs affecting Vm Virtualbox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of VirtualBox host, allowing attacker to access, modify, or destroy all virtual machines and their data.

🟠

Likely Case

Attacker with local user access escalates privileges to gain control over VirtualBox and potentially other virtualized systems.

🟢

If Mitigated

Limited impact if proper access controls and isolation are implemented, though VirtualBox itself remains vulnerable.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring attacker access to the host system.
🏢 Internal Only: HIGH - Any internal user with local access to VirtualBox hosts can potentially exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Oracle describes this as 'easily exploitable' but requires local access with low privileges. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.1.28 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpuoct2021.html

Restart Required: Yes

Instructions:

1. Download VirtualBox 6.1.28 or later from Oracle's website. 2. Stop all running virtual machines. 3. Uninstall current VirtualBox version. 4. Install the updated version. 5. Restart the host system.

🔧 Temporary Workarounds

Restrict VirtualBox Access

linux

Limit which users can access and run VirtualBox to reduce attack surface

sudo chmod 750 /usr/bin/virtualbox
sudo chown root:trustedgroup /usr/bin/virtualbox

Isolate VirtualBox Hosts

all

Ensure VirtualBox hosts are on isolated networks and not accessible to untrusted users

🧯 If You Can't Patch

  • Remove VirtualBox from systems where it's not essential
  • Implement strict access controls and monitor for suspicious VirtualBox activity

🔍 How to Verify

Check if Vulnerable:

Check VirtualBox version with: VBoxManage --version

Check Version:

VBoxManage --version

Verify Fix Applied:

Verify version is 6.1.28 or higher: VBoxManage --version | grep -E '6\.1\.(2[8-9]|[3-9][0-9])|6\.[2-9]|7\.[0-9]'

📡 Detection & Monitoring

Log Indicators:

  • Unusual VirtualBox process activity from non-admin users
  • Failed privilege escalation attempts in system logs
  • Unexpected VirtualBox service restarts

Network Indicators:

  • Unusual network traffic from VirtualBox host to virtual machines
  • Suspicious connections between virtual machines

SIEM Query:

source="virtualbox.log" AND (event="privilege_escalation" OR event="unauthorized_access")

📊 Metadata

CVE ID: CVE-2021-35538
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: October 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON