| Rich Freeman on 8 Nov 2018 12:19:31 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] new virtualbox exploit |
On Thu, Nov 8, 2018 at 2:56 PM <prushik@gmail.com> wrote: > On November 8, 2018 1:55:50 PM EST, jeff <jeffv@op.net> wrote: > >the guy who found it flipped out and released this before submitting to > >Oracle. > > Exactly the way all vulnerabilities should be released. Wish more peeps would do this. #informationfreedom > > This is just a vm escape though. the attacker needs root on the guest, and only gets to the host with non-root user permissions. By itself, this probably isn't a very serious vulnerability. > "just a vm escape" :) Really, though, if you're using virtualbox for anything serious I'd give thought to using something else. KVM or Xen are the big Linux solutions for actual virtualization using mainline kernel drivers, and of course you should consider a container. And of course the big name in VMs is VMware which you typically wouldn't run on a linux host. On linux there is also libvirt which is basically a wrapper for the underlying kernel functionality, and various guis/etc that sit on top of libvirt. This lets you use GUIs similar to something like the Virtualbox GUI, but it also gives you the ability to launch VMs from the command line, and the configs are all xml I believe. If all you're doing is playing around with a random development VM maybe something like Virtualbox is fine, but most of that can also be done with a libvirt GUI like virt-manager. And it doesn't require out-of-kernel modules. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug