CVE-2020-14892

Vulnerability

In Oracle VM VirtualBox versions prior to 6.1.16, a vulnerability exists in the Core component that allows a low-privileged local attacker to cause a hang or frequently repeatable crash (complete denial of service) of the hypervisor. The flaw is reachable when the attacker has logon access to the infrastructure where VirtualBox runs [1]. No special configuration beyond default is required.

Exploitation

An attacker with low privileges and local logon access to the system where VirtualBox runs can exploit this vulnerability. The attack complexity is low and requires no user interaction beyond the attacker's own actions. The specific sequence involves leveraging a weakness in the Core component to trigger an unstable state, leading to a hang or crash of the VirtualBox process [1].

Impact

Successful exploitation results in a complete denial of service (DOS) of Oracle VM VirtualBox, meaning the virtualization software becomes unavailable until manually restarted. The attack affects availability only, with no impact on confidentiality or integrity. The CVSS 3.1 base score is 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) [1].

Mitigation

Oracle released a fix with VirtualBox version 6.1.16. Gentoo recommends all users upgrade to at least version 6.1.18 (available via >=app-emulation/virtualbox-6.1.18). No known workaround exists; upgrading is the only mitigation [1].