44 comments

[ 3.1 ms ] story [ 118 ms ] thread
Do any of these affect the host when it's Linux?

I run several VMs at the same time, occasionally one will freeze. I think it's just the video/display that freezes while the browser/whatever in the guest VM still operates normally.

The title should really say that they've been patched.

Edit: The first sentence:

> Oracle has released patches for ten vulnerabilities in VirtualBox which allow attackers to break out of guest operating systems and attack the host operating system that VirtualBox runs on.

And at http://www.oracle.com/technetwork/security-advisory/cpujan20...

> Supported Versions Affected ... Prior to 5.1.32, Prior to 5.2.6

The current version being 5.2.6

https://www.virtualbox.org/wiki/Downloads

OK, we s/discovered/patched/ the title above. Since something can't be patched before it is discovered this seems strictly more informative.
Thanks. The article didn't say when the vulnerabilities were discovered. Depending who discovered them, it could have been months or more. I brought it up to clarify that these aren't unpatched vulnerabilities.
(comment deleted)
I am definitely not complaining, but I wonder why Oracle continues work on VirtualBox at all?

When they acquired Sun, they seemed in a hurry to kill off all the other open source projects Sun had been running.

Do they use it as the basis for their cloud-infrastructure[1] or what? I do not see how VirtualBox generates any revenue for Oracle, and they have a reputation for being very ... focussed when it comes to revenue.

[1] That seems pretty unlikely

They have a closed-source "extension pack" with a bunch of quite useful and even necessary features (e.g. USB 2.0) so that could be their revenue source, but looking around it seems that others have been rather unsuccessful at actually trying to pay for it --- the response Oracle has given them is "you can use and redistribute it for free".
Huh. Next thing you know Microsoft is going to host all Windows and Office development on public github repos, IBM begins lobbying against software patents, and GNU/Hurd reaches 1.0... These are interesting times we live in for sure.
Tangential related, didn't I see recently that IBM has a patent on patent trolling?
If so, that could be the starting point for the ... most interesting lawsuit ever.
I just sort of noticed the headline somewhere, haven't really looked in to it. This NPR article has more detail:

https://www.npr.org/sections/money/2012/08/01/157743897/can-...

In a defensive capability, it gets even better:

    Patent Troll: Hi, I am a Patent Troll, 
                  and I want to sue your ... company.
    Halliburton:  Look, Dame or Dude, you have three choices: 
                  1. We have a patent on that. 
                     You cannot sue us without a license. 
                     Good bye!
                  2. We have a patent on that. 
                     You cannot sue us without a license.
                     Licenses are $ 42 trillion.
                     *Per Lawyer*.
                     See you in court. Or not.
                  3. We buy your company, because we rule!
    Patent Troll: *Head explodes*
    
    -- The End --
A decent writer could make a sitcom out of this in no time. I already have a picture in my head -- it is like Night Court meets Psych! I wanna watch this on Netflix!!!
Business methods and legal theories are exempt from patents, but OTOH, so was software once upon a time.
That was already closed at Sun times I believe since it contains third party code where Sun/Oracle didn't have the right to open source it.
In past I wanted my employers to pay for VirtualBox commercial licences (to support the project and in some cases it was a requirement that all software used in development process is properly licensed) but I couldn't even find it anywhere as a product. Nowadays it is available[1] (not sure since when) but minimum number of licenses to purchase is 100.

[1]: https://shop.oracle.com/apex/product?p1=OracleVMVirtualBoxEn...

Interesting. The minimum order quantity suggests that Oracle is not interested in small orders (and I'm almost willing to bet that if you asked to buy fewer than that for commercial use, the response would be "just use it for free".) $50/user is also quite low by Oracle standards... I guess they decided the legal fees involved in going after "small violations" are not worth the trouble.

However, even the extensions used to be free for "noncommercial use in a commercial environment" --- they silently changed the license relatively recently: https://forums.virtualbox.org/viewtopic.php?f=1&t=85092

Yikes, that license change bites.

I guess I'm going to have to switch to using KVM at work now if I to do things like USB device passthrough now. Shame too because setting up KVM networking is way more complicated than setting up VirtualBox networking.

What is the alternative to using Virtualbox besides buying a separate computer? I'm assuming there's more vulnerabilities to be found.
> What is the alternative to using Virtualbox

Any other hypervisor. QEMU/KVM, Xen, VMWare, and Parallels all have good track records.

On Linux, qemu/kvm works well enough for most purposes, on FreeBSD you have bhyve. OpenBSD's vmm is a thing, but I do not know if it can host other systems than OpenBSD, yet.

On Windows, there is Hyper-V. I have only very little experience with it, but in my short time, I did not encounter anything I would like to complain about. I am not sure, however, if it comes with the client editions of Windows. Microsoft Virtual PC still exists, too.

Xen is also a thing - run Dom0 as your desktop system, and run the VMs in the background.

None of this is perfect, but if you need them, there are alternatives.

> Microsoft Virtual PC still exists

Not updated in almost 10 years, not supported on Windows 8 or 10.

I'm pretty sure the Virtual PC product went on to become Hyper-V.
Some of the Xen technology went into Hyper-V. Microsoft had a partnership with the Cambridge labs.
My understanding is that Hyper-V replaced Virtual PC and was not based on it.
shudders Okay, that explains the vague feeling I had that something was not right with this one.
> I am not sure, however, if it comes with the client editions of Windows. Microsoft Virtual PC still exists, too.

It's in Windows 10 client editions too. Look under "Turn Windows features on or off". Windows Subsystem for Linux is there too.

Not on the Home edition or whatever it's called.
Do you know if it can be installed on Home even if it's not part of the standard installation media?
There is no particular reason to expect that qemu has any greater security that vbox. All of these systems have a significant amount of very critical code; I particularly sceptical of the hardware emulation part.

AWS recently started moving from a custom Xen to a custom KVM, but it doesn't seem it was for security reasons. Xen certainly is heavily used by public cloud providers.

QEMU is huge, but you choose what parts to use. If you stick to the defaults, e.g. your VM has one or more virtio devices, a virtual USB3 controller and USB tablet, maybe an IDE/AHCI controller and an e1000 or rtl8139 NIC, it should be pretty okay.

Because of its use with KVM, QEMU has had its code scrutinized quite closely in the last few years. There are some device models that have a pretty bad track record, such as Cirrus VGA, but they are not the default anymore and there's no reason why you should use them.

Virtualization capable hardware required though (I don't know about Hyper-V).
I was going to recommend Bochs, which doesn't use virtualisation hardware at all and is instead an instruction-level emulator (much slower but should theoretically be more immune to hardware virtualisation bugs), but then there's this:

https://www.cvedetails.com/vulnerability-list/vendor_id-2505...

Better than this though:

https://www.cvedetails.com/vulnerability-list/vendor_id-93/p...

Judging by the descriptions, these VirtualBox bugs are all in the device emulation, host-to-guest communications framework and so on, so they would apply equally whether the VM was using virtualization hardware or instruction emulation. This isn't unique to VirtualBox's track record -- the 'attack surface' for a VM is almost entirely in the device models, where software bugs allow VM escapes. The hardware virtualization is much less likely to cause problems: CPU bugs are rare compared to software bugs. In fact I think a pure-emulation setup would be worse off, because there's a lot more potentially buggy software doing the emulation that the guest can try to exploit. If you don't see those in a CVE list it's because nobody's bothering to try to exploit whatever emulator you're using, or because the emulator doesn't promise guest isolation and doesn't track bugs as CVEs. Comparison of raw CVE counts is tricky and risks apples-to-oranges problems.
Compared to Xen and KVM, VirtualBox runs much larger parts of the device emulation in ring 0, together with the core CPU virtualization code, for performance.

This is particularly important when KVM is used with a special user (such as user "qemu") and SELinux, because then a bug in QEMU becomes extremely hard to turn into host root access. Libvirt takes care of configuring SELinux this way for you, when you use for example KVM on OpenStack.

> I'm assuming there's more vulnerabilities to be found.

This also holds true for the alternatives.

(comment deleted)
Vmware Workstation or Player (on a Mac Fusion) on Linux workstation. Rock solid
There are VirtualBox alternatives, but the advantage of VirtualBox is your exported VM appliances may be imported to the same hypervisor on Windows, Mac, FreeBSD, Solaris, Illumos, and Linux.

VirtualBox also has a slicker UI compared with QEMU/KVM on linux & bhyve on FreeBSD/Mac & vmm on OpenBSD.

The alternatives all have their own merits, but if people are wondering why anyone would use VirtualBox, I believe the above reasons are why.