No internet using NAT, all guests

[mpack]

I've afraid that I'm pretty sure that the whitelist idea is contrary to Oracle management policy, so that idea won't fly at all. The fact that not all software has such rigorous standards is not going to convince them to change.

You have what is essentially a defective host process, it needs to be fixed at your end, not worked around by VirtualBox.

[scottgus1]

If there were a whitelist, malware could hack said whitelist and gain admin privileges through Virtualbox.

[AntonioDL]

I've afraid that I'm pretty sure that the whitelist idea is contrary to Oracle management policy.

Fair. I just thought about giving the user the freedom to choose, but risks are involved.

You have what is essentially a defective host process, it needs to be fixed at your end, not worked around by VirtualBox.

Here I disagree. So again, forget about whitelist ideas...
Reading the details of the ticket posted, VBox is not verifying the signature of this DLL properly and thus rejecting it.

If you used signtool, it would show DLL is properly signed. Note, using the default option, will show a trust error because the default assumes driver signing and this is a not a driver with signed catalog file. You need to use /pa argument for the signing to show as valid. Since you use SigCheck (Sysinternals), you do not need to use any parameters to show the DLL is signed

Code: Select all

c:\program files\open text\socks client\HumSOCKS.dll: 
        Verified:       Signed 
        Signing date:   1:16 PM 9/15/2016 
        Publisher:      Open Text Corporation 
        Company:        Open Text Corporation 
        Description:    Open Text SOCKS Client for x64 
        Product:        Open Text SOCKS Client 
        Prod version:   14.0.0.0 
        File version:   14.0.16.193 
        MachineType:    64-bit 

VBox is widely used and is superb!.
I don't know how widely OpenTExt is used.
The combination is even more rare. I don't want to be picky. All I'm saying is that with the information collected so far, the development team could review if the hardening checks being used are implemented properly.

[Martin]

You don't have a problem with the other software parts because these don't try to inject their DLLs into Vbox process space.

[AntonioDL]

Sure, I'm not talking about other software inject the DLL into VBox.
I'm talking about software injecting/hardening this DLL into their own process. If every software would be checking and rejecting this DLL as VBox does, they would likely have the very same network problems.
Few samples we have in our company:
- AT&T Client and Cisco AnyConnect and SSL Extender for VPN access;
- Symantec Endpoint Protection (Firewall);
They all load the DLL.

[socratis]

If every software would be checking and rejecting this DLL as VBox does, they would likely have the very same network problems.

But they don't. They don't really care. VirtualBox cares due to security papers that were highliting the procedure where a "rogue" DLL injects itself into VirtualBox, and that affects the guest. Now the guest is a full blown OS and if that gets infected it could infect the host, since the guest is running with high privileges in the system.

Do yourself a favor and read the following FAQ: Diagnosing VirtualBox Hardening Issues.

Bottom line: that's how things stand. If your DLL was properly signed, if your DLL was following the rules, we wouldn't be having this discussion. Does that make sense?

[AntonioDL]

Look, I don't wanna cause a fight... I fully understand your post.

I just find it hard to believe that software from companies like the ones I mentioned "don't care".

A company like Cisco would provide clients a VPN solution which is 'unsafe'?
Microsoft would load such 'unsafe' DLLs into their own network core?
Symantec is one of the industry leading virus/network protection in the market.
(PS: not trying to defend any of these companies, just using them as an example).

Have you read the ticket? OpenText says their code is signed, just differently. My sincere apologies as I don't have a full knowledge of this whole sign process, driver vs non-driver, catalog and all the terms they mention.

Anyway, if you say that how the stand is and nothing will ever be done, than there is nothing else to discuss.

[mpack]

We are all just users here, not spokepersons for Oracle, and in any case you are not an Oracle customer. Your technical point is one for the devs to look at, not us, and since a ticket has already been raised then I'm sure they will, eventually.