SB2018042402 - OpenSUSE Linux update for virtualbox 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018042402

SB2018042402 - OpenSUSE Linux update for virtualbox

Published: April 24, 2018 Updated: April 17, 2019

Security Bulletin ID SB2018042402
Severity
Medium
Patch available
YES
Number of vulnerabilities 13
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 8% Low 92%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 13 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2017-3737)

The vulnerability allows a remote attacker to gain access to potentially sensitive information on the target system.

The weakness exists due to an "error state mechanism" when SSL_read() or SSL_write() is called directly after SSL object. A remote attacker can a specially crafted input, trigger a fatal error during a handshake and return it in the initial function call to access or modify sensitive information.

2) Use-after-free (CVE-ID: CVE-2017-9798)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to use-after-free error when processing HTTP OPTIONS requests in server/core.c, when limits are configured in .htaccess or httpd.conf configuration files. A remote unauthenticated attacker can read portions of memory through HTTP OPTIONS requests and gain access to potentially sensitive data.

The vulnerability is dubbed Optionsbleed.


3) Resource exhaustion (CVE-ID: CVE-2018-0739)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to excessive stack memory consumption. A remote attacker can cause the service to crash.

4) Privilege escalation (CVE-ID: CVE-2018-2830)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists in the Oracle VM VirtualBox Core component due to improper security restrictions. A local attacker can gain root privileges.

5) Information disclosure (CVE-ID: CVE-2018-2831)

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The weakness exists in the Oracle VM VirtualBox Core component due to improper information control. A local attacker can gain access to potentially sensitive information.

6) Privilege escalation (CVE-ID: CVE-2018-2835)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists in the Oracle VM VirtualBox Core component due to improper security restrictions. A local attacker can gain root privileges.

7) Privilege escalation (CVE-ID: CVE-2018-2836)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists in the Oracle VM VirtualBox Core component due to improper security restrictions. A local attacker can gain root privileges.

8) Privilege escalation (CVE-ID: CVE-2018-2837)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists in the Oracle VM VirtualBox Core component due to improper security restrictions. A local attacker can gain root privileges.

9) Privilege escalation (CVE-ID: CVE-2018-2842)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists in the Oracle VM VirtualBox Core component due to improper security restrictions. A local attacker can gain root privileges.

10) Privilege escalation (CVE-ID: CVE-2018-2843)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists in the Oracle VM VirtualBox Core component due to improper security restrictions. A local attacker can gain root privileges.

11) Privilege escalation (CVE-ID: CVE-2018-2844)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists in the Oracle VM VirtualBox Core component due to improper security restrictions. A local attacker can gain root privileges.

12) Security restrictions bypass (CVE-ID: CVE-2018-2845)

The vulnerability allows a local attacker to obtain potentially sensitive information, write arbitrary files and cause DoS condition on the target system.

The weakness exists in the Oracle VM VirtualBox Core component due to improper information control. A local attacker can partially access data, partially modify data and cause the service to crash.

13) Privilege escalation (CVE-ID: CVE-2018-2860)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists in the Oracle VM VirtualBox Core component due to improper security restrictions. A local attacker can gain root privileges.

Remediation

Install update from vendor's website.

References