CVE-2008-3431
Published: 05 August 2008
Summary
CVE-2008-3431 is a high-severity an unspecified weakness vulnerability in Oracle Virtualbox. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 9.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is a local privilege escalation flaw in the VBoxDrvNtDeviceControl function within VBoxDrv.sys, part of Sun xVM VirtualBox prior to version 1.6.4. It stems from the driver's use of the METHOD_NEITHER IOCTL communication method combined with insufficient validation of a buffer tied to the IRP object, allowing an attacker to supply an arbitrary kernel address.
Local users with the ability to open the \\.\VBoxDrv device can exploit the issue by invoking DeviceIoControl with a crafted request. Successful exploitation grants elevated privileges on the host system, corresponding to a CVSS 3.1 score of 8.8 under an AV:L/AC:L/PR:L/UI:N/S:C vector.
Public references including Secunia advisory 31361, SunSolve document 240095-1, the VirtualBox changelog, and SecurityTracker entry 1020625 point to the availability of a patched release in version 1.6.4 that addresses the driver flaw.
No information on observed in-the-wild exploitation is supplied in the source data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2008-3417
Vulnerability details
The VBoxDrvNtDeviceControl function in VBoxDrv.sys in Sun xVM VirtualBox before 1.6.4 uses the METHOD_NEITHER communication method for IOCTLs and does not properly validate a buffer associated with the Irp object, which allows local users to gain privileges by opening the…
more
\\.\VBoxDrv device and calling DeviceIoControl to send a crafted kernel address.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.