openSUSE Security Update : virtualbox (openSUSE-2018-389) (Optionsbleed)

Medium Nessus Plugin ID 109294

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for VirtualBox to version 5.1.36 fixes multiple issues :

Security issues fixed :

- CVE-2018-0739: Unauthorized remote attacker may have caused a hang or frequently repeatable crash (complete DOS)

- CVE-2018-2830: Attacker with host login may have compromised Virtualbox or further system services after interaction with a third user

- CVE-2018-2831: Attacker with host login may have compromised VirtualBox or further system services, allowing read access to some data

- CVE-2018-2835: Attacker with host login may have gained control over VirtualBox and possibly further system services after interacting with a third user

- CVE-2018-2836: Attacker with host login may have gained control over VirtualBox and possibly further system services after interacting with a third user

- CVE-2018-2837: Attacker with host login may have gained control over VirtualBox and possibly further system services after interacting with a third user

- CVE-2018-2842: Attacker with host login may have gained control over VirtualBox and possibly further system services after interacting with a third user

- CVE-2018-2843: Attacker with host login may have gained control over VirtualBox and possibly further system services after interacting with a third user

- CVE-2018-2844: Attacker with host login may have gained control over VirtualBox and possibly further system services after interacting with a third user

- CVE-2018-2845: Attacker with host login may have caused a hang or frequently repeatable crash (complete DOS), and perform unauthorized read and write operation to some VirtualBox accessible data

- CVE-2018-2860: Privileged attacker may have gained control over VirtualBox and possibly further system services

http://www.oracle.com/technetwork/security-advisory/cpuapr2018verbose- 3678108.html http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067 .html#AppendixOVIR

This update also contains all upstream fixes and improvements in the stable 5.1.36 release.

Solution

Update the affected virtualbox packages.

See Also

http://www.nessus.org/u?05e0bcf5

http://www.nessus.org/u?7eca6abf

https://bugzilla.opensuse.org/show_bug.cgi?id=1089997

Plugin Details

Severity: Medium

ID: 109294

File Name: openSUSE-2018-389.nasl

Version: 1.3

Type: local

Agent: unix

Published: 2018/04/24

Updated: 2019/04/05

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:python-virtualbox, p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo, p-cpe:/a:novell:opensuse:virtualbox, p-cpe:/a:novell:opensuse:virtualbox-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-debugsource, p-cpe:/a:novell:opensuse:virtualbox-devel, p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons, p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default, p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-guest-source, p-cpe:/a:novell:opensuse:virtualbox-guest-tools, p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-guest-x11, p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default, p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-host-source, p-cpe:/a:novell:opensuse:virtualbox-qt, p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo, p-cpe:/a:novell:opensuse:virtualbox-vnc, p-cpe:/a:novell:opensuse:virtualbox-websrv, p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo, cpe:/o:novell:opensuse:42.3

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2018/04/23

Reference Information

CVE: CVE-2017-3737, CVE-2017-9798, CVE-2018-0739, CVE-2018-2830, CVE-2018-2831, CVE-2018-2835, CVE-2018-2836, CVE-2018-2837, CVE-2018-2842, CVE-2018-2843, CVE-2018-2844, CVE-2018-2845, CVE-2018-2860