detailed information about a zero-day vulnerability in VirtualBox . His explanations include step-by-step instructions for exploiting the bug . According to the initial details in the disclosureVulnerability-related.DiscoverVulnerability, the issue is presentVulnerability-related.DiscoverVulnerabilityin a shared code base of the virtualization software , available on all supported operating systems . ExploitingVulnerability-related.DiscoverVulnerabilitythe vulnerability allows an attacker to escape the virtual environment of the guest machine and reach the Ring 3 privilege layer , used for running code from most user programs , with the least privileges . Turning one `` overflow '' into another Sergey Zelenyuk foundVulnerability-related.DiscoverVulnerabilitythat the security bug can be leveraged on virtual machines configured with the Intel PRO/1000 MT Desktop ( 82540EM ) network adapter in Network Address Translation ( NAT ) mode , the default setup that allows the guest system to access external networks . `` The [ Intel PRO/1000 MT Desktop ( 82540EM ) ] has a vulnerability allowing an attacker with root/administrator privileges in a guest to escape to a host ring3 . Then the attacker can use existing techniques to escalate privileges to ring 0 via /dev/vboxdrv , '' Zelenyuk writesVulnerability-related.DiscoverVulnerabilityin a technical write-up on Tuesday . Zelenyuk says that an important aspect in getting how the vulnerability works is to understand that context descriptors are processed before data descriptors . The researcher describes the mechanics behind the security flaw in detail , showing how to trigger the necessary conditions to obtain a buffer overflow that could be abused to escape the confinements of the virtual operating system . First , he caused an integer underflow condition using packet descriptors - data segments that allow the network adapter to track network packet data in the system memory . This state was then leveraged to read data from the guest OS to into a heap buffer and cause an overflow condition that could lead to overwriting function pointers ; or to cause a stack overflow condition .
Simon Kenin , a security researcher at Trustwave , was – by his own admission – being lazy the day he discoveredVulnerability-related.DiscoverVulnerabilityan authentication vulnerability in his Netgear router . Instead of getting up out of bed to address a connection problem , he started fuzzing the web interface and discoveredVulnerability-related.DiscoverVulnerabilitya serious issue . Kenin had hit upon unauth.cgi , code that was previously tied to two different exploits in 2014 for unauthenticated password disclosure flaws . The short version of the 2014 vulnerability is that an attacker can get unauth.cgi to issue a number that can be passed over to passwordrecovered.cgi in order to receive credentials . Kenin tested their exploits and was able to get his password . [ Learn about top security certifications : Who they 're for , what they cost , and which you need . The following day he started gathering other Netgear devices to test . While repeating the process , he made an error , but that did n't prevent him from obtaining credentials . That accidental discoveryVulnerability-related.DiscoverVulnerabilityresulted in CVE-2017-5521 . `` After few trials and errors trying to reproduce the issue , I foundVulnerability-related.DiscoverVulnerabilitythat the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send . This is totally new bug that I haven’t seenVulnerability-related.DiscoverVulnerabilityanywhere else . When I tested both bugs on different NETGEAR models , I foundVulnerability-related.DiscoverVulnerabilitythat my second bug works on a much wider range of models , '' Kenin explained in a recent blog post . There are at least ten thousand devices online that are vulnerableVulnerability-related.DiscoverVulnerabilityto the flaw that Kenin discoveredVulnerability-related.DiscoverVulnerability, but he says the real number could reach the hundreds of thousands , or even millions . `` The vulnerability can be used by a remote attacker if remote administration is set to be Internet facing . However , anyone with physical access to a network with a vulnerable router can exploit it locally . This would include public Wi-Fi spaces like cafés and libraries using vulnerable equipment , '' Kenin wrote . Kenin reached out to Netgear and reported the problems , but it was no easy task . The first advisory listed 18 devices that were vulnerableVulnerability-related.DiscoverVulnerability, followed by a second advisory detailing an additional 25 models . A few months later , in June 2016 , Netgear finally published an advisory that offeredVulnerability-related.PatchVulnerabilitya fix for a small subset of the vulnerable devices , and a workaround for others . Eventually , Netgear reported that they were going to fixVulnerability-related.PatchVulnerabilityall the unpatched models . They also teamed up with Bugcrowd to improve their vulnerability handling process . Netgear has a status page on the vulnerability , they also provide a workaround for those who ca n't update their firmware yet . It was n't until after the story ran that the PR firm representing Trustwave and pitching the research named Simon Kenin as one who made the discoveryVulnerability-related.DiscoverVulnerability. Netgear issued a statement , downplaying the discovery someVulnerability-related.DiscoverVulnerability, and reminding users that fixes are availableVulnerability-related.PatchVulnerabilityfor most of the impacted devices . The emailed comments are reprinted below : NETGEAR is aware of the vulnerability ( CVE-2017-5521 ) , that has been recently publicizedVulnerability-related.DiscoverVulnerabilityby Trustwave . We have been working with the security analysts to evaluate the vulnerability . NETGEAR has publishedVulnerability-related.DiscoverVulnerabilitya knowledge base article from our support page , which lists the affected routers and the available firmware fixVulnerability-related.PatchVulnerability. Firmware fixes are currently availableVulnerability-related.PatchVulnerabilityfor the majority of the affected devices . To download the firmware release that fixesVulnerability-related.PatchVulnerabilitythe password recovery vulnerability , click the link for the model and visit the firmware release page for further instructions .