Vulnerabilities > CVE-2016-3612 - Unspecified vulnerability in Oracle VM Virtualbox
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 5.0.22 allows remote attackers to affect confidentiality via vectors related to Core.
Vulnerable Configurations
Nessus
NASL family Misc. NASL id VIRTUALBOX_5_0_22.NASL description The Oracle VM VirtualBox application installed on the remote host is a version prior to 5.0.22. It is, therefore, affected by multiple vulnerabilities in the bundled OpenSSL component : - A heap buffer overflow condition exists in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - Flaws exist in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - Multiple unspecified flaws exist in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - An out-of-bounds read error exists in the X509_NAME_oneline() function within file crypto/x509/x509_obj.c when handling very long ASN1 strings. An unauthenticated, remote attacker can exploit this to disclose the contents of stack memory. (CVE-2016-2176) last seen 2020-06-01 modified 2020-06-02 plugin id 92458 published 2016-07-20 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92458 title Oracle VM VirtualBox < 5.0.22 Multiple Vulnerabilities (July 2016 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(92458); script_version("1.12"); script_cvs_date("Date: 2019/11/19"); script_cve_id( "CVE-2016-2105", "CVE-2016-2106", "CVE-2016-2107", "CVE-2016-2109", "CVE-2016-2176", "CVE-2016-3612" ); script_bugtraq_id( 87940, 89744, 89746, 89757, 89760 ); script_xref(name:"EDB-ID", value:"39768"); script_name(english:"Oracle VM VirtualBox < 5.0.22 Multiple Vulnerabilities (July 2016 CPU)"); script_summary(english:"Performs a version check on VirtualBox.exe."); script_set_attribute(attribute:"synopsis", value: "An application installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The Oracle VM VirtualBox application installed on the remote host is a version prior to 5.0.22. It is, therefore, affected by multiple vulnerabilities in the bundled OpenSSL component : - A heap buffer overflow condition exists in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - Flaws exist in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - Multiple unspecified flaws exist in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - An out-of-bounds read error exists in the X509_NAME_oneline() function within file crypto/x509/x509_obj.c when handling very long ASN1 strings. An unauthenticated, remote attacker can exploit this to disclose the contents of stack memory. (CVE-2016-2176)"); # http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?453b5f8c"); script_set_attribute(attribute:"see_also", value:"https://www.virtualbox.org/wiki/Changelog"); script_set_attribute(attribute:"solution", value: "Upgrade to Oracle VM VirtualBox version 5.0.22 or later as referenced in the July 2016 Oracle Critical Patch Update advisory."); script_set_attribute(attribute:"agent", value:"all"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2176"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:vm_virtualbox"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("virtualbox_installed.nasl", "macosx_virtualbox_installed.nbin"); script_require_ports("installed_sw/Oracle VM VirtualBox", "installed_sw/VirtualBox"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); app = NULL; apps = make_list('Oracle VM VirtualBox', 'VirtualBox'); foreach app (apps) { if (get_install_count(app_name:app)) break; else app = NULL; } if (isnull(app)) audit(AUDIT_NOT_INST, 'Oracle VM VirtualBox'); install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE); ver = install['version']; path = install['path']; # Affected : # 5.0.x < 5.0.22 if (ver =~ '^5\\.0' && ver_compare(ver:ver, fix:'5.0.22', strict:FALSE) < 0) fix = '5.0.22'; else audit(AUDIT_INST_PATH_NOT_VULN, app, ver, path); port = 0; if (app == 'Oracle VM VirtualBox') { port = get_kb_item("SMB/transport"); if (!port) port = 445; } report = '\n Path : ' + path + '\n Installed version : ' + ver + '\n Fixed version : ' + fix + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_WARNING); exit(0);
NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1087.NASL description Virtualbox was updated to 5.0.26 to fix the following issues : This update fixes various security issues. - CVE-2016-3612: An unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 5.0.22 allowed remote attackers to affect confidentiality via vectors related to Core. (boo#990369). - CVE-2016-3597: Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 5.0.26 allows local users to affect availability via vectors related to Core. (bsc#990370) - Update the host <-> guest KMP conflict dependencies to no longer refer to the old name (boo#983927). This is a maintenance release. The following items were fixed and/or added : - VMM: fixed a bug in the task switching code (ticket #15571) - GUI: allow to overwrite an existing file when saving a log file (bug #8034) - GUI: fixed screenshot if the VM is started in separate mode - Audio: improved recording from USB headsets and other sources which might need conversion of captured data - Audio: fixed regression of not having any audio available on Solaris hosts - VGA: fixed an occasional hang when running Windows guests with 3D enabled - Storage: fixed a possible endless reconnect loop for the iSCSI backend if connecting to the target succeeds but further I/O requests cause a disconnect - Storage: fixed a bug when resizing certain VDI images which resulted in using the whole disk on the host (bug #15582) - EFI: fixed access to devices attached to SATA port 2 and higher (bug #15607) - API: fixed video recording with VBoxHeadless (bug #15443) - API: don last seen 2020-06-05 modified 2016-09-20 plugin id 93596 published 2016-09-20 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/93596 title openSUSE Security Update : virtualbox (openSUSE-2016-1087)
References
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.securityfocus.com/bid/91787
- http://www.securityfocus.com/bid/91787
- http://www.securityfocus.com/bid/91860
- http://www.securityfocus.com/bid/91860
- http://www.securitytracker.com/id/1036384
- http://www.securitytracker.com/id/1036384