Vulnerabilities > CVE-2019-3021 - Unspecified vulnerability in Oracle VM Virtualbox
Summary
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.34 and prior to 6.0.14. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
Vulnerable Configurations
Nessus
NASL family Windows NASL id VIRTUALBOX_6_0_14.NASL description The version of Oracle VM VirtualBox running on the remote host is 5.2.x prior to 5.2.34 or 6.0.x prior to 6.0.14. It is, therefore, affected by multiple vulnerabilities as noted in the October 2019 Critical Patch Update advisory: - A vulnerability exists in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core) prior to 5.2.34 and prior to 6.0.14. An authenticated low privileged local attacker with logon to the infrastructure where Oracle VM VirtualBox can exploit the vulnerability to impact additional products or takeover The Oracle VM VirtualBox. (CVE-2019-3028) - A vulnerability exists in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core) prior to 5.2.34 and prior to 6.0.14. An authenticated high privileged local attacker with logon to the infrastructure where Oracle VM VirtualBox can exploit the vulnerability to impact additional products, cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. (CVE-2019-2944) - A denial of service (DoS) vulnerability exists in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core) prior to 5.2.34 and prior to 6.0.14. An authenticated low privileged local attacker with logon to the infrastructure where Oracle VM VirtualBox can exploit the vulnerability to impact additional products or cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. (CVE-2019-3021) Please consult the CVRF details for the applicable CVEs for additional information. Nessus has not tested for these issues but has instead relied only on the application last seen 2020-04-18 modified 2019-10-18 plugin id 130056 published 2019-10-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130056 title Oracle VM VirtualBox 5.2.x < 5.2.34 / 6.0.x < 6.0.14 (Oct 2019 CPU) NASL family MacOS X Local Security Checks NASL id MACOSX_VIRTUALBOX_6_0_14.NASL description The version of Oracle VM VirtualBox running on the remote Mac OS X host is 5.2.x prior to 5.2.34 or 6.0.x prior to 6.0.14. It is, therefore, affected by multiple vulnerabilities as noted in the October 2019 Critical Patch Update advisory: - A vulnerability exists in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core) prior to 5.2.34 and prior to 6.0.14. An authenticated low privileged local attacker with logon to the infrastructure where Oracle VM VirtualBox can exploit the vulnerability to impact additional products or takeover The Oracle VM VirtualBox. (CVE-2019-3028) - A vulnerability exists in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core) prior to 5.2.34 and prior to 6.0.14. An authenticated high privileged local attacker with logon to the infrastructure where Oracle VM VirtualBox can exploit the vulnerability to impact additional products, cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. (CVE-2019-2944) - A denial of service (DoS) vulnerability exists in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core) prior to 5.2.34 and prior to 6.0.14. An authenticated low privileged local attacker with logon to the infrastructure where Oracle VM VirtualBox can exploit the vulnerability to impact additional products or cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. (CVE-2019-3021) Please consult the CVRF details for the applicable CVEs for additional information. Nessus has not tested for these issues but has instead relied only on the application last seen 2020-04-18 modified 2019-10-18 plugin id 130055 published 2019-10-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130055 title Oracle VM VirtualBox 5.2.x < 5.2.34 / 6.0.x < 6.0.14 (Oct 2019 CPU) (MacOSX) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-202004-02.NASL description The remote host is affected by the vulnerability described in GLSA-202004-02 (VirtualBox: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in VirtualBox. Please review the CVE identifiers referenced below for details. Impact : An attacker could take control of VirtualBox resulting in the execution of arbitrary code with the privileges of the process, a Denial of Service condition, or other unspecified impacts. Workaround : There is no known workaround at this time. last seen 2020-04-30 modified 2020-04-02 plugin id 135113 published 2020-04-02 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135113 title GLSA-202004-02 : VirtualBox: Multiple vulnerabilities
References
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://security.gentoo.org/glsa/202004-02
- https://security.gentoo.org/glsa/202004-02
- https://security.gentoo.org/glsa/202101-09
- https://security.gentoo.org/glsa/202101-09