Lucene search

K
archlinuxArchLinuxASA-202104-9
HistoryApr 29, 2021 - 12:00 a.m.

[ASA-202104-9] virtualbox: multiple issues

2021-04-2900:00:00
security.archlinux.org
212
virtualbox
high severity
multiple issues
arbitrary code execution
information disclosure
filesystem access
cve-2021-2145
cve-2021-2250
cve-2021-2266
cve-2021-2279
cve-2021-2280
cve-2021-2281

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS

0.092

Percentile

94.7%

Arch Linux Security Advisory ASA-202104-9

Severity: High
Date : 2021-04-29
CVE-ID : CVE-2021-2145 CVE-2021-2250 CVE-2021-2266 CVE-2021-2279
CVE-2021-2280 CVE-2021-2281 CVE-2021-2282 CVE-2021-2283
CVE-2021-2284 CVE-2021-2285 CVE-2021-2286 CVE-2021-2287
CVE-2021-2291 CVE-2021-2296 CVE-2021-2297 CVE-2021-2306
CVE-2021-2309 CVE-2021-2310 CVE-2021-2321
Package : virtualbox
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1846

Summary

The package virtualbox before version 6.1.20-1 is vulnerable to
multiple issues including arbitrary code execution, arbitrary
filesystem access and information disclosure.

Resolution

Upgrade to 6.1.20-1.

pacman -Syu “virtualbox>=6.1.20-1”

The problems have been fixed upstream in version 6.1.20.

Workaround

None.

Description

  • CVE-2021-2145 (arbitrary code execution)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Difficult to exploit vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in takeover of Oracle VM VirtualBox.

  • CVE-2021-2250 (arbitrary code execution)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in takeover of Oracle VM VirtualBox.

  • CVE-2021-2266 (information disclosure)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.

  • CVE-2021-2279 (arbitrary code execution)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via RDP to compromise
Oracle VM VirtualBox. Successful attacks of this vulnerability can
result in takeover of Oracle VM VirtualBox.

  • CVE-2021-2280 (information disclosure)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.

  • CVE-2021-2281 (arbitrary filesystem access)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized creation, deletion or modification access to
critical data or all Oracle VM VirtualBox accessible data.

  • CVE-2021-2282 (information disclosure)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.

  • CVE-2021-2283 (information disclosure)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.

  • CVE-2021-2284 (arbitrary filesystem access)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized creation, deletion or modification access to
critical data or all Oracle VM VirtualBox accessible data.

  • CVE-2021-2285 (information disclosure)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.

  • CVE-2021-2286 (arbitrary filesystem access)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized creation, deletion or modification access to
critical data or all Oracle VM VirtualBox accessible data.

  • CVE-2021-2287 (information disclosure)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.

  • CVE-2021-2291 (information disclosure)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Difficult to exploit vulnerability allows
low privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful
attacks of this vulnerability can result in unauthorized access to
critical data or complete access to all Oracle VM VirtualBox accessible
data.

  • CVE-2021-2296 (information disclosure)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Difficult to exploit vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.

  • CVE-2021-2297 (information disclosure)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Difficult to exploit vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.

  • CVE-2021-2306 (information disclosure)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.

  • CVE-2021-2309 (arbitrary code execution)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Difficult to exploit vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in takeover of Oracle VM VirtualBox.

  • CVE-2021-2310 (arbitrary code execution)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Difficult to exploit vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in takeover of Oracle VM VirtualBox.

  • CVE-2021-2321 (information disclosure)

Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.

Impact

An attacker is able to execute arbitrary code, read sensitive
information, and read filesystem information through various means.

References

https://www.oracle.com/security-alerts/cpuapr2021verbose.html#OVIR
https://security.archlinux.org/CVE-2021-2145
https://security.archlinux.org/CVE-2021-2250
https://security.archlinux.org/CVE-2021-2266
https://security.archlinux.org/CVE-2021-2279
https://security.archlinux.org/CVE-2021-2280
https://security.archlinux.org/CVE-2021-2281
https://security.archlinux.org/CVE-2021-2282
https://security.archlinux.org/CVE-2021-2283
https://security.archlinux.org/CVE-2021-2284
https://security.archlinux.org/CVE-2021-2285
https://security.archlinux.org/CVE-2021-2286
https://security.archlinux.org/CVE-2021-2287
https://security.archlinux.org/CVE-2021-2291
https://security.archlinux.org/CVE-2021-2296
https://security.archlinux.org/CVE-2021-2297
https://security.archlinux.org/CVE-2021-2306
https://security.archlinux.org/CVE-2021-2309
https://security.archlinux.org/CVE-2021-2310
https://security.archlinux.org/CVE-2021-2321

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyvirtualbox< 6.1.20-1UNKNOWN

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS

0.092

Percentile

94.7%