Vulnerabilities > CVE-2016-3612 - Unspecified vulnerability in Oracle VM Virtualbox

047910
CVSS 5.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
high complexity
oracle
nessus

Summary

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 5.0.22 allows remote attackers to affect confidentiality via vectors related to Core.

Vulnerable Configurations

Part Description Count
Application
Oracle
144

Nessus

  • NASL familyMisc.
    NASL idVIRTUALBOX_5_0_22.NASL
    descriptionThe Oracle VM VirtualBox application installed on the remote host is a version prior to 5.0.22. It is, therefore, affected by multiple vulnerabilities in the bundled OpenSSL component : - A heap buffer overflow condition exists in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - Flaws exist in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - Multiple unspecified flaws exist in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - An out-of-bounds read error exists in the X509_NAME_oneline() function within file crypto/x509/x509_obj.c when handling very long ASN1 strings. An unauthenticated, remote attacker can exploit this to disclose the contents of stack memory. (CVE-2016-2176)
    last seen2020-06-01
    modified2020-06-02
    plugin id92458
    published2016-07-20
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92458
    titleOracle VM VirtualBox < 5.0.22 Multiple Vulnerabilities (July 2016 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92458);
      script_version("1.12");
      script_cvs_date("Date: 2019/11/19");
    
      script_cve_id(
        "CVE-2016-2105",
        "CVE-2016-2106",
        "CVE-2016-2107",
        "CVE-2016-2109",
        "CVE-2016-2176",
        "CVE-2016-3612"
      );
      script_bugtraq_id(
        87940,
        89744,
        89746,
        89757,
        89760
      );
      script_xref(name:"EDB-ID", value:"39768");
    
      script_name(english:"Oracle VM VirtualBox < 5.0.22 Multiple Vulnerabilities (July 2016 CPU)");
      script_summary(english:"Performs a version check on VirtualBox.exe.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application installed on the remote host is affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The Oracle VM VirtualBox application installed on the remote host is a
    version prior to 5.0.22. It is, therefore, affected by multiple
    vulnerabilities in the bundled OpenSSL component :
    
      - A heap buffer overflow condition exists in the
        EVP_EncodeUpdate() function within file
        crypto/evp/encode.c that is triggered when handling
        a large amount of input data. An unauthenticated, remote
        attacker can exploit this to cause a denial of service
        condition. (CVE-2016-2105)
    
      - A heap buffer overflow condition exists in the
        EVP_EncryptUpdate() function within file
        crypto/evp/evp_enc.c that is triggered when handling a
        large amount of input data after a previous call occurs
        to the same function with a partial block. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition. (CVE-2016-2106)
    
      - Flaws exist in the aesni_cbc_hmac_sha1_cipher()
        function in file crypto/evp/e_aes_cbc_hmac_sha1.c and
        the aesni_cbc_hmac_sha256_cipher() function in file
        crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered
        when the connection uses an AES-CBC cipher and AES-NI
        is supported by the server. A man-in-the-middle attacker
        can exploit these to conduct a padding oracle attack,
        resulting in the ability to decrypt the network traffic.
        (CVE-2016-2107)
    
      - Multiple unspecified flaws exist in the d2i BIO
        functions when reading ASN.1 data from a BIO due to
        invalid encoding causing a large allocation of memory.
        An unauthenticated, remote attacker can exploit these to
        cause a denial of service condition through resource
        exhaustion. (CVE-2016-2109)
    
      - An out-of-bounds read error exists in the
        X509_NAME_oneline() function within file
        crypto/x509/x509_obj.c when handling very long ASN1
        strings. An unauthenticated, remote attacker can exploit
        this to disclose the contents of stack memory.
        (CVE-2016-2176)");
      # http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?453b5f8c");
      script_set_attribute(attribute:"see_also", value:"https://www.virtualbox.org/wiki/Changelog");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Oracle VM VirtualBox version 5.0.22 or later as referenced
    in the July 2016 Oracle Critical Patch Update advisory.");
      script_set_attribute(attribute:"agent", value:"all");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2176");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/07/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:vm_virtualbox");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("virtualbox_installed.nasl", "macosx_virtualbox_installed.nbin");
      script_require_ports("installed_sw/Oracle VM VirtualBox", "installed_sw/VirtualBox");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("install_func.inc");
    
    app  = NULL;
    apps = make_list('Oracle VM VirtualBox', 'VirtualBox');
    
    foreach app (apps)
    {
      if (get_install_count(app_name:app)) break;
      else app = NULL;
    }
    
    if (isnull(app)) audit(AUDIT_NOT_INST, 'Oracle VM VirtualBox');
    
    install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);
    
    ver  = install['version'];
    path = install['path'];
    
    # Affected :
    # 5.0.x < 5.0.22
    if  (ver =~ '^5\\.0' && ver_compare(ver:ver, fix:'5.0.22', strict:FALSE) < 0) fix = '5.0.22';
    else audit(AUDIT_INST_PATH_NOT_VULN, app, ver, path);
    
    port = 0;
    if (app == 'Oracle VM VirtualBox')
    {
      port = get_kb_item("SMB/transport");
      if (!port) port = 445;
    }
    
    report =
      '\n  Path              : ' + path +
      '\n  Installed version : ' + ver +
      '\n  Fixed version     : ' + fix +
      '\n';
    security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);
    exit(0);
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1087.NASL
    descriptionVirtualbox was updated to 5.0.26 to fix the following issues : This update fixes various security issues. - CVE-2016-3612: An unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 5.0.22 allowed remote attackers to affect confidentiality via vectors related to Core. (boo#990369). - CVE-2016-3597: Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 5.0.26 allows local users to affect availability via vectors related to Core. (bsc#990370) - Update the host <-> guest KMP conflict dependencies to no longer refer to the old name (boo#983927). This is a maintenance release. The following items were fixed and/or added : - VMM: fixed a bug in the task switching code (ticket #15571) - GUI: allow to overwrite an existing file when saving a log file (bug #8034) - GUI: fixed screenshot if the VM is started in separate mode - Audio: improved recording from USB headsets and other sources which might need conversion of captured data - Audio: fixed regression of not having any audio available on Solaris hosts - VGA: fixed an occasional hang when running Windows guests with 3D enabled - Storage: fixed a possible endless reconnect loop for the iSCSI backend if connecting to the target succeeds but further I/O requests cause a disconnect - Storage: fixed a bug when resizing certain VDI images which resulted in using the whole disk on the host (bug #15582) - EFI: fixed access to devices attached to SATA port 2 and higher (bug #15607) - API: fixed video recording with VBoxHeadless (bug #15443) - API: don
    last seen2020-06-05
    modified2016-09-20
    plugin id93596
    published2016-09-20
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/93596
    titleopenSUSE Security Update : virtualbox (openSUSE-2016-1087)