Vulnerabilities > CVE-2019-2501 - Unspecified vulnerability in Oracle VM Virtualbox
Summary
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are prior to 5.2.24 and prior to 6.0.2. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 3.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N).
Vulnerable Configurations
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-1547.NASL description This update for virtualbox to version 5.2.24 fixes the following issues : Multiple security issues fixed : CVE-2019-2500, CVE-2019-2524, CVE-2019-2552, CVE-2018-3309, CVE-2019-2520 CVE-2019-2521, CVE-2019-2522, CVE-2019-2523, CVE-2019-2526, CVE-2019-2548 CVE-2018-11763, CVE-2019-2511, CVE-2019-2508, CVE-2019-2509, CVE-2019-2527 CVE-2019-2450, CVE-2019-2451, CVE-2019-2555, CVE-2019-2554, CVE-2019-2556 CVE-2018-11784, CVE-2018-0734, CVE-2019-2525, CVE-2019-2446, CVE-2019-2448 CVE-2019-2501, CVE-2019-2504, CVE-2019-2505, CVE-2019-2506, and CVE-2019-2553 (bsc#1122212). Other issues fixed : - Linux Additions: fix for building vboxvideo on EL 7.6 standard kernel, contributed by Robert Conde - USB: fixed a problem causing failures attaching SuperSpeed devices which report USB version 3.1 (rather than 3.0) on Windows hosts - Audio: added support for surround speaker setups used by Windows 10 Build 1809 - Linux hosts: fixed conflict between Debian and Oracle build desktop files - Linux guests: fixed building drivers on SLES 12.4 - Linux guests: fixed building shared folder driver with older kernels last seen 2020-06-01 modified 2020-06-02 plugin id 125844 published 2019-06-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125844 title openSUSE Security Update : virtualbox (openSUSE-2019-1547) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2019-1547. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(125844); script_version("1.2"); script_cvs_date("Date: 2020/01/10"); script_cve_id("CVE-2018-0734", "CVE-2018-11763", "CVE-2018-11784", "CVE-2018-3309", "CVE-2019-2446", "CVE-2019-2448", "CVE-2019-2450", "CVE-2019-2451", "CVE-2019-2500", "CVE-2019-2501", "CVE-2019-2504", "CVE-2019-2505", "CVE-2019-2506", "CVE-2019-2508", "CVE-2019-2509", "CVE-2019-2511", "CVE-2019-2520", "CVE-2019-2521", "CVE-2019-2522", "CVE-2019-2523", "CVE-2019-2524", "CVE-2019-2525", "CVE-2019-2526", "CVE-2019-2527", "CVE-2019-2548", "CVE-2019-2552", "CVE-2019-2553", "CVE-2019-2554", "CVE-2019-2555", "CVE-2019-2556"); script_name(english:"openSUSE Security Update : virtualbox (openSUSE-2019-1547)"); script_summary(english:"Check for the openSUSE-2019-1547 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for virtualbox to version 5.2.24 fixes the following issues : Multiple security issues fixed : CVE-2019-2500, CVE-2019-2524, CVE-2019-2552, CVE-2018-3309, CVE-2019-2520 CVE-2019-2521, CVE-2019-2522, CVE-2019-2523, CVE-2019-2526, CVE-2019-2548 CVE-2018-11763, CVE-2019-2511, CVE-2019-2508, CVE-2019-2509, CVE-2019-2527 CVE-2019-2450, CVE-2019-2451, CVE-2019-2555, CVE-2019-2554, CVE-2019-2556 CVE-2018-11784, CVE-2018-0734, CVE-2019-2525, CVE-2019-2446, CVE-2019-2448 CVE-2019-2501, CVE-2019-2504, CVE-2019-2505, CVE-2019-2506, and CVE-2019-2553 (bsc#1122212). Other issues fixed : - Linux Additions: fix for building vboxvideo on EL 7.6 standard kernel, contributed by Robert Conde - USB: fixed a problem causing failures attaching SuperSpeed devices which report USB version 3.1 (rather than 3.0) on Windows hosts - Audio: added support for surround speaker setups used by Windows 10 Build 1809 - Linux hosts: fixed conflict between Debian and Oracle build desktop files - Linux guests: fixed building drivers on SLES 12.4 - Linux guests: fixed building shared folder driver with older kernels" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1122212" ); script_set_attribute( attribute:"solution", value:"Update the affected virtualbox packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2552"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-virtualbox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python3-virtualbox-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-x11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-host-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-qt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-vnc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-websrv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/25"); script_set_attribute(attribute:"patch_publication_date", value:"2019/06/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.0", reference:"python3-virtualbox-5.2.24-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"python3-virtualbox-debuginfo-5.2.24-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-5.2.24-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-debuginfo-5.2.24-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-debugsource-5.2.24-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-devel-5.2.24-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-guest-desktop-icons-5.2.24-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-guest-kmp-default-5.2.24_k4.12.14_lp150.12.61-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-guest-kmp-default-debuginfo-5.2.24_k4.12.14_lp150.12.61-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-guest-source-5.2.24-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-guest-tools-5.2.24-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-guest-tools-debuginfo-5.2.24-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-guest-x11-5.2.24-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-guest-x11-debuginfo-5.2.24-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-host-kmp-default-5.2.24_k4.12.14_lp150.12.61-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-host-kmp-default-debuginfo-5.2.24_k4.12.14_lp150.12.61-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-host-source-5.2.24-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-qt-5.2.24-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-qt-debuginfo-5.2.24-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-vnc-5.2.24-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-websrv-5.2.24-lp150.4.33.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"virtualbox-websrv-debuginfo-5.2.24-lp150.4.33.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python3-virtualbox / python3-virtualbox-debuginfo / virtualbox / etc"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-84.NASL description This update for virtualbox version 5.2.24 fixes the following issues : Update fixes multiple vulnerabilities : CVE-2019-2500, CVE-2019-2524, CVE-2019-2552, CVE-2018-3309, CVE-2019-2520 CVE-2019-2521, CVE-2019-2522, CVE-2019-2523, CVE-2019-2526, CVE-2019-2548 CVE-2018-11763, CVE-2019-2511, CVE-2019-2508, CVE-2019-2509, CVE-2019-2527 CVE-2019-2450, CVE-2019-2451, CVE-2019-2555, CVE-2019-2554, CVE-2019-2556 CVE-2018-11784, CVE-2018-0734, CVE-2019-2525, CVE-2019-2446, CVE-2019-2448 CVE-2019-2501, CVE-2019-2504, CVE-2019-2505, CVE-2019-2506, and CVE-2019-2553 (boo#1122212). Non-security issues fixed : - Linux Additions: fix for building vboxvideo on EL 7.6 standard kernel, contributed by Robert Conde - USB: fixed a problem causing failures attaching SuperSpeed devices which report USB version 3.1 (rather than 3.0) on Windows hosts - Audio: added support for surround speaker setups used by Windows 10 Build 1809 - Linux hosts: fixed conflict between Debian and Oracle build desktop files - Linux guests: fixed building drivers on SLES 12.4 - Linux guests: fixed building shared folder driver with older kernels last seen 2020-03-18 modified 2019-01-28 plugin id 121411 published 2019-01-28 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121411 title openSUSE Security Update : virtualbox (openSUSE-2019-84) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2019-84. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(121411); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20"); script_cve_id("CVE-2018-0734", "CVE-2018-11763", "CVE-2018-11784", "CVE-2018-3309", "CVE-2019-2446", "CVE-2019-2448", "CVE-2019-2450", "CVE-2019-2451", "CVE-2019-2500", "CVE-2019-2501", "CVE-2019-2504", "CVE-2019-2505", "CVE-2019-2506", "CVE-2019-2508", "CVE-2019-2509", "CVE-2019-2511", "CVE-2019-2520", "CVE-2019-2521", "CVE-2019-2522", "CVE-2019-2523", "CVE-2019-2524", "CVE-2019-2525", "CVE-2019-2526", "CVE-2019-2527", "CVE-2019-2548", "CVE-2019-2552", "CVE-2019-2553", "CVE-2019-2554", "CVE-2019-2555", "CVE-2019-2556"); script_name(english:"openSUSE Security Update : virtualbox (openSUSE-2019-84)"); script_summary(english:"Check for the openSUSE-2019-84 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for virtualbox version 5.2.24 fixes the following issues : Update fixes multiple vulnerabilities : CVE-2019-2500, CVE-2019-2524, CVE-2019-2552, CVE-2018-3309, CVE-2019-2520 CVE-2019-2521, CVE-2019-2522, CVE-2019-2523, CVE-2019-2526, CVE-2019-2548 CVE-2018-11763, CVE-2019-2511, CVE-2019-2508, CVE-2019-2509, CVE-2019-2527 CVE-2019-2450, CVE-2019-2451, CVE-2019-2555, CVE-2019-2554, CVE-2019-2556 CVE-2018-11784, CVE-2018-0734, CVE-2019-2525, CVE-2019-2446, CVE-2019-2448 CVE-2019-2501, CVE-2019-2504, CVE-2019-2505, CVE-2019-2506, and CVE-2019-2553 (boo#1122212). Non-security issues fixed : - Linux Additions: fix for building vboxvideo on EL 7.6 standard kernel, contributed by Robert Conde - USB: fixed a problem causing failures attaching SuperSpeed devices which report USB version 3.1 (rather than 3.0) on Windows hosts - Audio: added support for surround speaker setups used by Windows 10 Build 1809 - Linux hosts: fixed conflict between Debian and Oracle build desktop files - Linux guests: fixed building drivers on SLES 12.4 - Linux guests: fixed building shared folder driver with older kernels" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1122212" ); script_set_attribute( attribute:"solution", value:"Update the affected virtualbox packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2552"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-virtualbox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-x11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-host-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-qt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-vnc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-websrv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/25"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/28"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.3", reference:"python-virtualbox-5.2.24-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-virtualbox-debuginfo-5.2.24-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-5.2.24-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-debuginfo-5.2.24-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-debugsource-5.2.24-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-devel-5.2.24-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-guest-desktop-icons-5.2.24-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-guest-kmp-default-5.2.24_k4.4.165_81-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-guest-kmp-default-debuginfo-5.2.24_k4.4.165_81-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-guest-source-5.2.24-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-guest-tools-5.2.24-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-guest-tools-debuginfo-5.2.24-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-guest-x11-5.2.24-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-guest-x11-debuginfo-5.2.24-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-host-kmp-default-5.2.24_k4.4.165_81-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-host-kmp-default-debuginfo-5.2.24_k4.4.165_81-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-host-source-5.2.24-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-qt-5.2.24-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-qt-debuginfo-5.2.24-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-vnc-5.2.24-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-websrv-5.2.24-66.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"virtualbox-websrv-debuginfo-5.2.24-66.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-virtualbox / python-virtualbox-debuginfo / virtualbox / etc"); }
NASL family Misc. NASL id VIRTUALBOX_JAN_2019_CPU.NASL description The version of Oracle VM VirtualBox running on the remote host is 5.2.x prior to 5.2.24 or 6.0.x prior to 6.0.2. It is, therefore, affected by multiple vulnerabilities as noted in the January 2018 Critical Patch Update advisory : - A denial of service vulnerability in the bundled third-party component OpenSSL library last seen 2020-06-01 modified 2020-06-02 plugin id 121247 published 2019-01-18 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121247 title Oracle VM VirtualBox 5.2.x < 5.2.24 / 6.0.x < 6.0.2 (Jan 2019 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(121247); script_version("1.6"); script_cvs_date("Date: 2019/11/01 9:24:56"); script_cve_id( "CVE-2018-0734", "CVE-2018-0735", "CVE-2018-3309", "CVE-2018-5407", "CVE-2019-2446", "CVE-2019-2448", "CVE-2019-2500", "CVE-2019-2501", "CVE-2019-2504", "CVE-2019-2505", "CVE-2019-2506", "CVE-2019-2508", "CVE-2019-2509", "CVE-2019-2511", "CVE-2019-2520", "CVE-2019-2521", "CVE-2019-2522", "CVE-2019-2523", "CVE-2019-2524", "CVE-2019-2525", "CVE-2019-2526", "CVE-2019-2527", "CVE-2019-2548", "CVE-2019-2550", "CVE-2019-2551", "CVE-2019-2552", "CVE-2019-2553", "CVE-2019-2554", "CVE-2019-2555", "CVE-2019-2556" ); script_bugtraq_id( 105750, 105758, 105897, 106568, 106572, 106574, 106613 ); script_name(english:"Oracle VM VirtualBox 5.2.x < 5.2.24 / 6.0.x < 6.0.2 (Jan 2019 CPU)"); script_summary(english:"Performs a version check on VirtualBox"); script_set_attribute(attribute:"synopsis", value: "An application installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle VM VirtualBox running on the remote host is 5.2.x prior to 5.2.24 or 6.0.x prior to 6.0.2. It is, therefore, affected by multiple vulnerabilities as noted in the January 2018 Critical Patch Update advisory : - A denial of service vulnerability in the bundled third-party component OpenSSL library's DSA signature algorithm that renders it vulnerable to a timing side channel attack. An attacker could leverage this vulnerability to recover the private key. (CVE-2018-0734) - Multiple unspecified vulnerabilities in the Core component of Oracle VirtualBox could allow an authenticated, local attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. (CVE-2018-3309, CVE-2019-2500, CVE-2019-2520, CVE-2019-2521, CVE-2019-2522, CVE-2019-2523, CVE-2019-2524, CVE-2019-2526, CVE-2019-2548, CVE-2019-2552) - Multiple unspecified vulnerabilities in the Core component of Oracle VirtualBox could allow an authenticated, local attacker with logon to the infrastructure where Oracle VM VirtualBox executes to potentially expose critical or confidential data. (CVE-2019-2446, CVE-2019-2448, CVE-2019-2450, CVE-2019-2451, CVE-2019-2501, CVE-2019-2504, CVE-2019-2505, CVE-2019-2506, CVE-2019-2525, CVE-2019-2553, CVE-2019-2554, CVE-2019-2555, CVE-2019-2556) - Multiple denial of service vulnerabilities in the Core component of Oracle VirtualBox could allow an authenticated, local attacker with logon to the infrastructure where Oracle VM VirtualBox executes to cause a denial of service condition. (CVE-2019-2508, CVE-2019-2509, CVE-2019-2527) - An denial of service vulnerabilities with the SOAP protocol in the Core component of Oracle VirtualBox could allow an unauthenticated, remote attacker, to potentially a denial of service condition. (CVE-2019-2511) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); # https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#AppendixOVIR script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0dcafb3e"); script_set_attribute(attribute:"see_also", value:"https://www.virtualbox.org/wiki/Changelog"); script_set_attribute(attribute:"solution", value: "Upgrade to Oracle VM VirtualBox version 5.2.24, 6.0.2 or later as referenced in the January 2019 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2551"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"agent", value:"all"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/30"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:vm_virtualbox"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("virtualbox_installed.nasl", "macosx_virtualbox_installed.nbin"); script_require_ports("installed_sw/Oracle VM VirtualBox", "installed_sw/VirtualBox"); exit(0); } include("vcf.inc"); if (get_kb_item("installed_sw/Oracle VM VirtualBox")) app_info = vcf::get_app_info(app:"Oracle VM VirtualBox", win_local:TRUE); else app_info = vcf::get_app_info(app:"VirtualBox"); constraints = [ {"min_version" : "5.2", "fixed_version" : "5.2.24"}, {"min_version" : "6.0", "fixed_version" : "6.0.2"} ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
References
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html
- http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- http://www.securityfocus.com/bid/106568
- http://www.securityfocus.com/bid/106568