Kaspersky ID:
KLA11339
Detect Date:
10/16/2018
Updated:
01/22/2024

Description

Multiple serious vulnerabilities were found in Oracle VM Virtual Box. Malicious users can exploit these vulnerabilities to bypass security restrictions, cause denial of service.

Below is a complete list of vulnerabilities:

  1. Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core) can be exploited by attacker and human interaction from a person other than the attacker remotely via VRDP network access to to bypass security restrictions;
  2. Multiple vulnerabilities in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core) can be exploited by attacker and human interaction from a person other than the attacker localy via logon to the infrastructure without authentication to bypass security restrictions;
  3. Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core) can be exploited remotely via using OpenSSL protocol to cause denial of service.

Technical details

Vulnerability (3) is related to OpenSSL vulnerability (Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o)). During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished.

Original advisories

Exploitation

Public exploits exist for this vulnerability.

Related products

CVE list

  • CVE-2018-3294
    high
  • CVE-2018-3288
    warning
  • CVE-2018-3289
    warning
  • CVE-2018-3290
    warning
  • CVE-2018-3296
    warning
  • CVE-2018-3297
    warning
  • CVE-2018-2909
    warning
  • CVE-2018-3298
    warning
  • CVE-2018-3291
    warning
  • CVE-2018-3292
    warning
  • CVE-2018-3293
    warning
  • CVE-2018-3295
    warning
  • CVE-2018-3287
    warning
  • CVE-2018-0732
    warning

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.