CVE-2008-3431
published 2008-08-05CVE-2008-3431: The VBoxDrvNtDeviceControl function in VBoxDrv.sys in Sun xVM VirtualBox before 1.6.4 uses the METHOD_NEITHER communication method for IOCTLs and does not…
PriorityP184high8.8CVSS 3.1
AVLACLPRLUINSCCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
6.93%
93.3th percentile
The VBoxDrvNtDeviceControl function in VBoxDrv.sys in Sun xVM VirtualBox before 1.6.4 uses the METHOD_NEITHER communication method for IOCTLs and does not properly validate a buffer associated with the Irp object, which allows local users to gain privileges by opening the \\.\VBoxDrv device and calling DeviceIoControl to send a crafted kernel address.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | virtualbox | < 1.6.4 | 1.6.4 |
Detection & IOCsextracted from sources · hover to see the quote
commandDeviceIoControl(hDevice, 0x228103, (LPVOID)0x80808080, 0, (LPVOID)0x80808080, 0x0, &cb, NULL)↗
- →Detect loading of VBoxDrv.sys versions <= 3.0.0 on systems where VirtualBox is not legitimately installed; presence of this driver is a strong indicator of exploit staging for DSE bypass. ↗
- →Hunt for SSP DLLs added to the Windows system directory and registered in the LSA Security Packages registry value — AcidBox loaders persist as SSPs loaded into lsass.exe. ↗
- →AcidBox main worker module stores encrypted payload in the Windows registry; hunt for large, high-entropy binary registry values written by lsass.exe or unusual SSP DLLs. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pxp3-358m-6vfm: The VBoxDrvNtDeviceControl function in VBoxDrv
ghsa_unreviewed·2022-05-02
CVE-2008-3431 [HIGH] GHSA-pxp3-358m-6vfm: The VBoxDrvNtDeviceControl function in VBoxDrv
The VBoxDrvNtDeviceControl function in VBoxDrv.sys in Sun xVM VirtualBox before 1.6.4 uses the METHOD_NEITHER communication method for IOCTLs and does not properly validate a buffer associated with the Irp object, which allows local users to gain privileges by opening the \\.\VBoxDrv device and calling DeviceIoControl to send a crafted kernel address.
VulnCheck
Oracle VirtualBox Insufficient Input Validation Vulnerability
vulncheck·2008·CVSS 8.8
CVE-2008-3431 [HIGH] CWE-264 Oracle VirtualBox Insufficient Input Validation Vulnerability
Oracle VirtualBox Insufficient Input Validation Vulnerability
An input validation vulnerability exists in the VBoxDrv.sys driver of Sun xVM VirtualBox which allows attackers to locally execute arbitrary code.
Affected: Oracle VirtualBox
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cybersecurityworks.com/pdf/ransomware/Spotlight_Ransomware2021.pdf; https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/; https://cybersecurityworks.com/howdymanage/uploads/file/ransomware-_-2022-spotlight-report_compressed.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cybersecurityworks.com/howdymanage/uploads/file/RansomwareUpdate%20Report%202022
CISA
Oracle VirtualBox Insufficient Input Validation Vulnerability
cisa·2022-03-03·CVSS 8.8
CVE-2008-3431 [HIGH] CWE-264 Oracle VirtualBox Insufficient Input Validation Vulnerability
Vulnerability: Oracle VirtualBox Insufficient Input Validation Vulnerability
Affected: Oracle VirtualBox
An input validation vulnerability exists in the VBoxDrv.sys driver of Sun xVM VirtualBox which allows attackers to locally execute arbitrary code.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2008-3431
Remediation Due Date: 2022-03-24
No detection rules found.
Securelist
APT trends report Q2 2020
blogs_securelist·2020-07-29
APT trends report Q2 2020
Table of Contents
The most remarkable findings
Russian-speaking activity
Chinese-speaking activity
Middle East
Southеast Asia and Korean Peninsula
Other interesting discoveries
Final thoughts
Authors
GReAT
For more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q2 2020.
Readers who would like to learn
Securelist
APT trends report Q2 2020
blogs_securelist·2020-07-29
APT trends report Q2 2020
Table of Contents
- The most remarkable findings
- Russian-speaking activity
- Chinese-speaking activity
- Middle East
- Southеast Asia and Korean Peninsula
- Other interesting discoveries
- Final thoughts
Authors
- GReAT
For more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q2 2020.
Readers who would li
Unit42
AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
blogs_unit42·2020-06-17·CVSS 8.8
CVE-2008-3431 [HIGH] AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
Threat Research Center
Threat Research
Malware
## AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
Dominik Reichel
Esmid Idrizovic
Published: June 17, 2020
Malware
Threat Research
Vulnerabilities
AcidBox
CVE-2008-3431
Pensive Ursa
Turla
## Executive Summary
When the news broke in 2014 about a new sophisticated threat actor dubbed the Turla Group , which the Estonian foreign intelligence service believes has Russian origins and operates on behalf of the FSB, its kernelmode malware also became the first publicly-described case that abused a third-party device driver to disable Driver Signature Enforcement (DSE). This security mechanism was introduced in Windows Vista to prevent unsigned drivers from loading into kernel space. Turla explo
Unit42
AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
blogs_unit42·2020-06-17·CVSS 8.8
[HIGH] AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
## Executive Summary
When the news broke in 2014 about a new sophisticated threat actor dubbed the Turla Group, which the Estonian foreign intelligence service believes has Russian origins and operates on behalf of the FSB, its kernelmode malware also became the first publicly-described case that abused a third-party device driver to disable Driver Signature Enforcement (DSE). This security mechanism was introduced in Windows Vista to prevent unsigned drivers from loading into kernel space. Turla exploited the signed VirtualBox driver, VBoxDrv.sys v1.6.2, to deactivate DSE and load its unsigned payload drivers afterward.
There is some confusion about this exploit, however, as it’s often generally referred to as CVE-2008-3431. The exploit used by Turla actually abuses two vulnerabilities
http://secunia.com/advisories/31361http://securityreason.com/securityalert/4107http://securitytracker.com/id?1020625http://sunsolve.sun.com/search/document.do?assetkey=1-66-240095-1http://virtualbox.org/wiki/Changeloghttp://www.coresecurity.com/content/virtualbox-privilege-escalation-vulnerabilityhttp://www.securityfocus.com/archive/1/495095/100/0/threadedhttp://www.securityfocus.com/bid/30481http://www.vupen.com/english/advisories/2008/2293https://exchange.xforce.ibmcloud.com/vulnerabilities/44202https://www.exploit-db.com/exploits/6218http://secunia.com/advisories/31361http://securityreason.com/securityalert/4107http://securitytracker.com/id?1020625http://sunsolve.sun.com/search/document.do?assetkey=1-66-240095-1http://virtualbox.org/wiki/Changeloghttp://www.coresecurity.com/content/virtualbox-privilege-escalation-vulnerabilityhttp://www.securityfocus.com/archive/1/495095/100/0/threadedhttp://www.securityfocus.com/bid/30481http://www.vupen.com/english/advisories/2008/2293https://exchange.xforce.ibmcloud.com/vulnerabilities/44202https://www.exploit-db.com/exploits/6218https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2008-3431
2008-08-05
Published
2022-03-03
Added to CISA KEV
Exploited in the wild