Description
Multiple serious vulnerabilities were found in Oracle VM Virtual Box. Malicious users can exploit these vulnerabilities to bypass security restrictions, cause denial of service.
Below is a complete list of vulnerabilities:
- Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core) can be exploited by attacker and human interaction from a person other than the attacker remotely via VRDP network access to to bypass security restrictions;
- Multiple vulnerabilities in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core) can be exploited by attacker and human interaction from a person other than the attacker localy via logon to the infrastructure without authentication to bypass security restrictions;
- Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core) can be exploited remotely via using OpenSSL protocol to cause denial of service.
Technical details
Vulnerability (3) is related to OpenSSL vulnerability (Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o)). During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished.
Original advisories
Exploitation
Public exploits exist for this vulnerability.
Related products
CVE list
- CVE-2018-3294 high
- CVE-2018-3288 warning
- CVE-2018-3289 warning
- CVE-2018-3290 warning
- CVE-2018-3296 warning
- CVE-2018-3297 warning
- CVE-2018-2909 warning
- CVE-2018-3298 warning
- CVE-2018-3291 warning
- CVE-2018-3292 warning
- CVE-2018-3293 warning
- CVE-2018-3295 warning
- CVE-2018-3287 warning
- CVE-2018-0732 warning
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com