Malicious OVA files - is this technically possible?

This is for discussing general topics about how to use VirtualBox.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Malicious OVA files - is this technically possible?

Post by fth0 »

@mpack:
I had no special type of attack in mind, only one with the property that it works over a network. As an arbitrary example:

Imagine I could provide you with a ready-made VM containing a tool that you've always wanted. The VM needed Internet access (i.e. network) to be available, and it also contained an already active newer variant of WannaCry working over SMBv3 (instead of SMBv1). This may not be a real danger for you and me, but I've heard there are people out there without backups. ;)
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Malicious OVA files - is this technically possible?

Post by mpack »

scottgus1 wrote:but I did notice something in several postings in the cvedetails.com link:
exploitable vulnerability allows high privileged attacker with logon to the infrastructure
I would take note of the phrase: exploitable vulnerability, i.e. a theoretical risk.

But I personally don't care to subscribe (in any sense) to AV Paranoia Weekly, so I'll leave it to others to peruse the details.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Malicious OVA files - is this technically possible?

Post by fth0 »

mpack wrote:I also don't believe it's true that Oracle "regularly" issues security related fixes for VirtualBox.
You must be living in a parallel universe. :o

Here's the official Oracle site where the patches are announced (*): Critical Patch Updates, Security Alerts and Bulletins. The following deep links will make it easier to count the number of security related patches for the last 4 quarters:

VirtualBox 6.1.24 (Jul. 2021)
VirtualBox 6.1.20 (Apr. 2021)
VirtualBox 6.1.18 (Jan. 2021)
VirtualBox 6.1.16 (Oct. 2020)

(*) Did you notice that I knew the release date of VirtualBox 6.1.24 in advance? If you want to know in advance when the next 4 VirtualBox minor updates are going to be released at the latest, you now know where to look. ;)
Last edited by fth0 on 12. Aug 2021, 00:35, edited 1 time in total.
Martin
Volunteer
Posts: 2560
Joined: 30. May 2007, 18:05
Primary OS: Fedora other
VBox Version: PUEL
Guest OSses: XP, Win7, Win10, Linux, OS/2

Re: Malicious OVA files - is this technically possible?

Post by Martin »

Well, the original question in this thread was, if there could be some kind of exploit in the OVA file (format) itself, which would be activated by importing the file into Virtualbox.
As far as I understand the question, it didin't include the start and running of that VM after the import.
So possible exploits to break out of the VM might be generally relevant, but not in the narrower context of the OVA file format and file handling.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Malicious OVA files - is this technically possible?

Post by mpack »

Jeez... I just had somebody ask "how do I not be dumb?". Q deleted as off topic, but anyway that low point is a good indicator that it's time to close this discussion.

I believe the OPs question has already been thoroughly answered (e.g. see Martin's response above this).
Locked