CVE-2020-2894: 
VirtualBox vulnerability analysis and mitigation

CVE-2020-2894 is a vulnerability discovered in Oracle VM VirtualBox affecting versions prior to 5.2.40, prior to 6.0.20, and prior to 6.1.6. The vulnerability was disclosed in April 2020 as part of Oracle's Critical Patch Update. This security issue affects the Core component of Oracle VM VirtualBox and requires a high-privileged attacker with logon access to the infrastructure where Oracle VM VirtualBox executes (NVD, Oracle CPU).

The vulnerability exists within the IP checksums in the virtualized e1000 network interface. The specific flaw results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.0 base score of 6.0 (MEDIUM) with the vector string: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N (ZDI).

Successful exploitation of this vulnerability can result in unauthorized disclosure of information through a read past the end of an allocated buffer. An attacker can leverage this vulnerability in conjunction with other vulnerabilities to potentially execute code in the context of the hypervisor (ZDI).

Oracle has released patches to address this vulnerability in VirtualBox versions 5.2.40, 6.0.20, and 6.1.6. Users are advised to upgrade to these or later versions. The fix was included in the April 2020 Critical Patch Update (Oracle CPU, OpenSUSE).