SB2024041782 - Multiple vulnerabilities in Oracle VM VirtualBox

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024041782

SB2024041782 - Multiple vulnerabilities in Oracle VM VirtualBox

Published: April 17, 2024 Updated: June 17, 2024

Security Bulletin ID SB2024041782
Severity
Medium
Patch available
YES
Number of vulnerabilities 13
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 8% Low 92%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 13 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2024-21108)

The vulnerability allows a local authenticated user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to gain access to sensitive information.


2) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2024-21109)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to information exposure within the vboxwebsrv service. A remote non-authenticated attacker can gain access to sensitive session information.


3) Use-after-free (CVE-ID: CVE-2024-21121)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the virtual OHCI USB controller. A local user can execute arbitrary code with elevated privileges.


4) Improper input validation (CVE-ID: CVE-2024-21106)

The vulnerability allows a local authenticated user to a crash the entire system.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to a crash the entire system.


5) Improper input validation (CVE-ID: CVE-2024-21107)

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.


6) Improper access control (CVE-ID: CVE-2024-21110)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper access restrictions within Guest Additions. A local user can execute arbitrary code with elevated privileges.


7) Improper Privilege Management (CVE-ID: CVE-2024-21116)

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to improper privilege management within the vboxdrv kernel module. A local user can execute arbitrary code with root privileges.


8) Improper input validation (CVE-ID: CVE-2024-21111)

The vulnerability allows a local authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to execute arbitrary code.


9) Improper input validation (CVE-ID: CVE-2024-21103)

The vulnerability allows a local authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to execute arbitrary code.


10) Out-of-bounds write (CVE-ID: CVE-2024-21115)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the DevVGA module. A local user can trigger an out-of-bounds write and execute arbitrary code with elevated privileges.


11) Buffer overflow (CVE-ID: CVE-2024-21114)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the VirtIOCore module. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.


12) Use of Uninitialized Variable (CVE-ID: CVE-2024-21113)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to access to uninitialized memory within the implementation of the E1000 virtual device. A local user can gain access to sensitive information on the system.


13) Use of Uninitialized Variable (CVE-ID: CVE-2024-21112)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to access to uninitialized memory within the implementation of the virtual AHCI controller. A local user can gain access to sensitive information.



Remediation

Install update from vendor's website.

References