CVE-2021-25319: 
NixOS vulnerability analysis and mitigation

CVE-2021-25319 is a security vulnerability in the OpenSUSE packaging of VirtualBox that was discovered in early 2021. The vulnerability stems from missing sticky bit permissions in the /etc/vbox directory, which allows members of the vboxusers group to exploit local root access. This vulnerability specifically affects OpenSUSE distributions where the directory was incorrectly packaged with improper permissions (OpenWall).

The vulnerability exists due to incorrect default permissions in the packaging of VirtualBox where the /etc/vbox directory was configured with permissions drwxrwxr-x (775) owned by root:vboxusers, but without the sticky bit set. This configuration allowed members of the vboxusers group to remove and recreate the vbox.cfg file, which is sourced by scripts running as root. The vulnerability specifically affects the OpenSUSE packaging of VirtualBox, while other distributions like Arch Linux, Fedora, and official VirtualBox.org RPMs were not affected as they package /etc/vbox as root:root with mode 755 (SUSE Bugzilla).

The vulnerability allows any member of the vboxusers group to perform a local root exploit by manipulating the /etc/vbox/vbox.cfg file. When exploited, an attacker could execute arbitrary commands with root privileges once services like vboxautostart are triggered (OpenWall).

The fix involves changing the VBOXAUTOSTARTDB from /etc/vbox to /etc/vbox/autostart.d, setting /etc/vbox ownership to root:root with mode 755, and configuring /etc/vbox/autostart.d with ownership root:vboxusers and mode 1775. Updates were released for affected OpenSUSE versions including Leap 15.1, 15.2, and 15.3 ([SUSE Bugzilla](https://bugzilla.suse.com/showbug.cgi?id=1182918)).