CVE-2021-2321: 
VirtualBox vulnerability analysis and mitigation

Oracle VM VirtualBox, prior to version 6.1.20, contains a vulnerability in the e1000 virtual network adapter component that allows high-privileged attackers with logon access to the infrastructure to compromise Oracle VM VirtualBox. The vulnerability is tracked as CVE-2021-2321 and was discovered during the Pwn2Own competition (ZDI Advisory, Oracle Advisory).

The vulnerability is an out-of-bounds read issue in the e1000 virtual network adapter implementation. The flaw stems from insufficient validation of user-supplied data, which can result in unauthorized read access past the end of an allocated buffer. The vulnerability has been assigned a CVSS 3.1 Base Score of 6.0 (Confidentiality impacts) with the vector string: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N (NVD).

Successful exploitation of this vulnerability can lead to unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. The vulnerability's impact is primarily focused on confidentiality, with no direct effects on integrity or availability (Oracle Advisory).

Oracle has released version 6.1.20 of VirtualBox to address this vulnerability. Users are strongly recommended to upgrade to this version or later. The fix was included in Oracle's April 2021 Critical Patch Update (Oracle Advisory).

The vulnerability was discovered by security researchers Billy Jheng Bing-Jhong (@st424204), Calvin Fong (@_lordidiot), and Muhammad Alifa Ramdhan (@n0psledbyte) of STAR Labs during the Pwn2Own competition (Oracle Advisory).