Vulnerabilities > CVE-2020-2742 - Integer Overflow or Wraparound vulnerability in multiple products
Summary
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family | Misc. |
NASL id | VIRTUALBOX_APR_2020_CPU.NASL |
description | The version of Oracle VM VirtualBox running on the remote host is 5.2.x prior to 5.2.40, 6.0.x prior to 6.0.20 or 6.1.x prior to 6.1.6. It is, therefore, affected by multiple vulnerabilities as noted in the April 2019 Critical Patch Update advisory. Note that Nessus has not tested for this issue buthas instead relied only on the application |
last seen | 2020-04-23 |
modified | 2020-04-15 |
plugin id | 135586 |
published | 2020-04-15 |
reporter | This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/135586 |
title | Oracle VM VirtualBox (Apr 2020 CPU) |
code |
|
References
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00001.html
- https://security.gentoo.org/glsa/202101-09
- https://security.gentoo.org/glsa/202101-09
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.zerodayinitiative.com/advisories/ZDI-20-499/
- https://www.zerodayinitiative.com/advisories/ZDI-20-499/