CVE-2024-21111 Detection: A New Critical Local Privilege Escalation Vulnerability in Oracle VirtualBox with the PoC Exploit Released

A new vulnerability assigned CVE-2024-21111 was recently discovered in Oracle Virtualbox, a widespread open-source virtualization software. The uncovered critical Oracle VirtualBox vulnerability enables adversaries to escalate privileges to NT AUTHORITY\SYSTEM via Symbolic Link, with its exploitation potentially leading to either arbitrary file deletion or arbitrary file movement.

Detect CVE-2024-21111 Exploitation Attempts

With the exponential rise and growing sophistication of attacks, in which adversaries weaponize vulnerabilities in popular open-source products, Proactive Detection of Vulnerability Exploitation remains among the top cybersecurity use cases. SOC Prime Platform for collective cyber defense has recently released a new Sigma rule to detect potential exploitation attempts of a novel critical vulnerability in Oracle VM VirtualBox abused by attackers to elevate privileges on the compromised host. Log into the Platform to access the relevant detection algorithm enriched with relevant CTI, in-depth metadata, and compatible with industry-leading SIEM, EDR, and Data Lake solutions. 

Possible CVE-2024-21111 (Oractle Virtualbox LPE) Exploitation Attempt (via file_event)

The detection is aligned with the MITRE ATT&CK® framework, addressing the Privilege Escalation tactic and the Exploitation for Privilege Escalation technique (T1068). 

To continuously stay ahead of emerging threats and timely remediate the risks of intrusions, explore the entire collection of relevant high-quality SOC content available via the Explore Detections button below.

Explore Detections

CVE-2024-21111 Analysis

A novel vulnerability, tracked as CVE-2024-21111, has emerged in the cyber threat landscape. The security bug, which has a high criticality CVSS score of 7.8, impacts Oracle VM VirtualBox versions preceding 7.0.16. 

CVE-2024-21111 poses a significant threat as it can be weaponized by attackers with low privileges and logon access to compromise Oracle VM VirtualBox. The flaw can be abused by adversaries to both delete files in the directory and perform an arbitrary file move, potentially resulting in a system takeover. However, the flaw represents a considerable risk to Windows hosts only. CVE-2024-21111 was uncovered by the security researcher Naor Hodorov, who also created a PoC exploit code for this vulnerability.

In response to the escalating threat, the vendor has promptly provided vulnerability patching and issued a dedicated security advisory to help organizations instantly minimize risks. As potential CVE mitigation measures, Oracle recommends upgrading to the latest software version due to the severity of the potential attack. In addition, defenders can remediate risks by blocking network protocols that are potentially exposed to exploitation and restricting privileges for users who do not require them.

Preempt attacks before they strike and elevate your organization’s cybersecurity posture with SOC Prime’s complete product suite for AI-powered Detection Engineering, Automated Threat Hunting & Detection Stack Validation.