ArchLinuxASA-202107-52[ASA-202107-52] virtualbox: multiple issues
8.2 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
14.2%
Arch Linux Security Advisory ASA-202107-52
Severity: High
Date : 2021-07-21
CVE-ID : CVE-2021-2409 CVE-2021-2442 CVE-2021-2443 CVE-2021-2454
Package : virtualbox
Type : multiple issues
Remote : No
Link : https://security.archlinux.org/AVG-2187
Summary
The package virtualbox before version 6.1.24-1 is vulnerable to
multiple issues including information disclosure, sandbox escape and
denial of service.
Resolution
Upgrade to 6.1.24-1.
pacman -Syu “virtualbox>=6.1.24-1”
The problems have been fixed upstream in version 6.1.24.
Workaround
None.
Description
- CVE-2021-2409 (sandbox escape)
A security issue has been found in Oracle VM VirtualBox before version
6.1.24. An easily exploitable vulnerability allows a high privileged
attacker with logon to the infrastructure where Oracle VM VirtualBox
executes to compromise Oracle VM VirtualBox. Successful attacks of this
vulnerability can result in a takeover of Oracle VM VirtualBox.
- CVE-2021-2442 (denial of service)
A security issue has been found in Oracle VM VirtualBox before version
6.1.24. An easily exploitable vulnerability allows a high privileged
attacker with logon to the infrastructure where Oracle VM VirtualBox
executes to compromise Oracle VM VirtualBox. Successful attacks of this
vulnerability can result in the unauthorized ability to cause a hang or
frequently repeatable crash (complete denial of service) of Oracle VM
VirtualBox.
- CVE-2021-2443 (information disclosure)
A security issue has been found in Oracle VM VirtualBox before version
6.1.24. An easily exploitable vulnerability allows a high privileged
attacker with logon to the infrastructure where Oracle VM VirtualBox
executes to compromise Oracle VM VirtualBox. Successful attacks of this
vulnerability can result in the unauthorized ability to cause a hang or
frequently repeatable crash (complete denial of service) of Oracle VM
VirtualBox as well as unauthorized update, insert or delete access to
some of Oracle VM VirtualBox accessible data and unauthorized read
access to a subset of Oracle VM VirtualBox accessible data.
- CVE-2021-2454 (sandbox escape)
A security issue has been found in Oracle VM VirtualBox before version
6.1.24. A difficult to exploit vulnerability allows a low privileged
attacker with logon to the infrastructure where Oracle VM VirtualBox
executes to compromise Oracle VM VirtualBox. Successful attacks of this
vulnerability can result in a takeover of Oracle VM VirtualBox.
Impact
A malicious virtual machine guest could escape its confinement to run
arbitrary code on the host system, disclose or modify sensitive
information, or crash VirtualBox.
References
https://www.oracle.com/security-alerts/cpujul2021verbose.html#OVIR
https://security.archlinux.org/CVE-2021-2409
https://security.archlinux.org/CVE-2021-2442
https://security.archlinux.org/CVE-2021-2443
https://security.archlinux.org/CVE-2021-2454
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ArchLinux | any | any | virtualbox | < 6.1.24-1 | UNKNOWN |
Related
8.2 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
14.2%