Oracle VirtualBox NAT Network DoS Vulnerability

by chebbi abir

Oracle VirtualBox is the world’s most popular cross-platform virtualization product. The FortiGuard Labs team recently discovered on (December 6, 2018) a network Denial of Service (DoS) vulnerability in Oracle VirtualBox (CVE-2019-2527). This DoS vulnerability is caused by a crafted TCP session sent from a virtual machine (VM) that causes the NAT process on the host machine to crash and all the VMs in the same NAT network to lose their network connectivity.

This DoS vulnerability affects VirtualBox versions prior to 5.2.26 and 6.0.4.

The DoS Vulnerability

In VirtualBox, users can create their own NAT network in the settings and assign it to VMs. To demonstrate the zero-day DoS vulnerability, I will create a NAT Network called “yzyNatNetwork” and assign it to three VMs that are running Windows 7, Ubuntu, and Kali.

Fortinet FortiGuard Labs Threat ResearchFigure 1. Creating a NAT Network
Fortinet FortiGuard Labs Threat ResearchFigure 2. Assigning the NAT Network to a VM
Fortinet FortiGuard Labs Threat ResearchFigure 3. Assigning that same NAT Network to three different VMs

In Figure 3, the process VBoxNetNAT.exe running on the host machine is serving the NAT Network. It has three PIDs, which are 5148, 11472, and 7784.

The PoC will generate a craft TCP session and send it out. Once we execute the PoC on one VM and send this TCP session through the NAT Network, the three processes of the VBoxNetNAT.exe on the host machine will crash. This will cause all the other VMs in the same NAT Network to lose network connectivity.

Fortinet FortiGuard Labs Threat ResearchFigure 4. NAT Crash and Network DoS

The Demo

I have created a demonstration video that walks through this zero-day vulnerability. You can watch that video here.



All users of vulnerable versions of Oracle VirtualBox are encouraged to upgrade to the latest VirtualBox version or apply the latest patches immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the following signature:


Read more: Fortinet Discovers Oracle VirtualBox Denial of Service Vulnerability


Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief. 

Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.

To read the original article:


Interdit de copier  ce contenu