CVE-2020-2742: 
VirtualBox vulnerability analysis and mitigation

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core) affects versions prior to 5.2.36, prior to 6.0.16, and prior to 6.1.2. This vulnerability allows high privileged attackers with logon access to the infrastructure where Oracle VM VirtualBox executes to compromise the system. The vulnerability was discovered and reported by Reno Robert working with Trend Micro Zero Day Initiative, with a CVSS v3.0 base score of 8.2 (Oracle CPU).

The vulnerability exists within the xHCI component and results from the lack of proper validation of user-supplied data, which can lead to an integer overflow condition before allocating a buffer. The CVSS score of 8.2 is based on the following vector: AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating local access required, low attack complexity, high privileges required, no user interaction needed, and high impacts on confidentiality, integrity, and availability (ZDI Advisory).

Successful exploitation of this vulnerability can result in takeover of Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the hypervisor (ZDI Advisory).

Oracle has released security patches to address this vulnerability. Users should upgrade to VirtualBox versions 5.2.36 or later, 6.0.16 or later, or 6.1.2 or later depending on their current version track. The patches are available through Oracle's support channels (Oracle CPU).