Oracle VM VirtualBox 5.0.x < 5.0.34 / 5.1.x < 5.1.16 Shared Folder Implementation Information Disclosure

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

An application installed on the remote host is affected by an
information disclosure vulnerability.

Description :

The version of Oracle VM VirtualBox installed on the remote host is
5.0.x prior to 5.0.34 or 5.1.x prior to 5.1.16. It is, therefore,
affected by an information disclosure vulnerability within the shared
folder implementation, specifically in the vbsfPathCheckRootEscape()
function, that permits cooperating guests that have write access to
the same shared folder to gain access to the file system of the Linux
host. An authenticated attacker within a guest VM can exploit this to
read arbitrary files on the host. However, exploitation requires that
the shared folder is not more than nine levels away from the file
system root.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.

See also :

http://www.nessus.org/u?a61fdb8e
https://www.virtualbox.org/wiki/Changelog

Solution :

Upgrade to Oracle VM VirtualBox version 5.0.34 / 5.1.16 or later

Risk factor :

Medium / CVSS Base Score : 5.2
(CVSS2#AV:A/AC:M/Au:S/C:C/I:N/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 99200 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now