What Are You Looking For?

Sign Up
MGASA-2018-0437 - Updated virtualbox packages fix security vulnerabilities

Publication date: 03 Nov 2018
URL: https://advisories.mageia.org/MGASA-2018-0437.html
Type: security
Affected Mageia releases: 6
CVE: CVE-2018-0732,
     CVE-2018-2909,
     CVE-2018-3287,
     CVE-2018-3288,
     CVE-2018-3289,
     CVE-2018-3290,
     CVE-2018-3291,
     CVE-2018-3292,
     CVE-2018-3293,
     CVE-2018-3294,
     CVE-2018-3295,
     CVE-2018-3296,
     CVE-2018-3297,
     CVE-2018-3298

This update provides virtualbox 5.2.20 and fixes the following security
vulnerabilities:

During key agreement in a TLS handshake using a DH(E) based ciphersuite
a malicious server can send a very large prime value to the client. This
will cause the client to spend an unreasonably long period of time
generating a key for this prime resulting in a hang until the client has
finished. This could be exploited in a Denial Of Service attack
(CVE-2018-0732).

Vulnerability in VirtualBox contains an easily exploitable vulnerability
that allows unauthenticated attacker with logon to the infrastructure
where VirtualBox executes to compromise VirtualBox. Successful attacks
require human interaction from a person other than the attacker and while
the vulnerability is in VirtualBox, attacks may significantly impact
additional products. Successful attacks of this vulnerability can result
in takeover of VirtualBox (CVE-2018-2909, CVE-2018-3287, (CVE-2018-3288,
CVE-2018-3289, CVE-2018-3290, CVE-2018-3291, CVE-2018-3292, CVE-2018-3293,
CVE-2018-3295, CVE-2018-3296, CVE-2018-3297, CVE-2018-3298).

Vulnerability in VirtualBox contains an easily exploitable vulnerability
that allows unauthenticated attacker with llow privileged attacker with
network access via VRDP to compromise VirtualBox. Successful attacks
require human interaction from a person other than the attacker and while
the vulnerability is in VirtualBox, attacks may significantly impact
additional products. Successful attacks of this vulnerability can result
in takeover of VirtualBox (CVE-2018-3294).

For other fixes in this update, see the referenced changelog.

References:
- https://bugs.mageia.org/show_bug.cgi?id=23719
- https://www.virtualbox.org/wiki/Changelog#20
- https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixOVIR
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2909
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3287
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3288
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3289
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3290
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3291
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3292
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3293
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3294
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3295
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3296
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3297
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3298

SRPMS:
- 6/core/virtualbox-5.2.20-1.mga6
- 6/core/kmod-virtualbox-5.2.20-1.mga6
- 6/core/kmod-vboxadditions-5.2.20-1.mga6

Mageia 2018-0437: virtualbox security update

This update provides virtualbox 5.2.20 and fixes the following security vulnerabilities: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server...

Summary

This update provides virtualbox 5.2.20 and fixes the following security vulnerabilities:
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (CVE-2018-0732).
Vulnerability in VirtualBox contains an easily exploitable vulnerability that allows unauthenticated attacker with logon to the infrastructure where VirtualBox executes to compromise VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of VirtualBox (CVE-2018-2909, CVE-2018-3287, (CVE-2018-3288, CVE-2018-3289, CVE-2018-3290, CVE-2018-3291, CVE-2018-3292, CVE-2018-3293, CVE-2018-3295, CVE-2018-3296, CVE-2018-3297, CVE-2018-3298).
Vulnerability in VirtualBox contains an easily exploitable vulnerability that allows unauthenticated attacker with llow privileged attacker with network access via VRDP to compromise VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of VirtualBox (CVE-2018-3294).
For other fixes in this update, see the referenced changelog.

References

- https://bugs.mageia.org/show_bug.cgi?id=23719

- https://www.virtualbox.org/wiki/Changelog#20

- https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixOVIR

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2909

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3287

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3288

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3289

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3290

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3291

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3292

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3293

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3294

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3295

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3296

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3297

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3298

Resolution

MGASA-2018-0437 - Updated virtualbox packages fix security vulnerabilities

SRPMS

- 6/core/virtualbox-5.2.20-1.mga6

- 6/core/kmod-virtualbox-5.2.20-1.mga6

- 6/core/kmod-vboxadditions-5.2.20-1.mga6

Severity
Publication date: 03 Nov 2018
URL: https://advisories.mageia.org/MGASA-2018-0437.html
Type: security
CVE: CVE-2018-0732, CVE-2018-2909, CVE-2018-3287, CVE-2018-3288, CVE-2018-3289, CVE-2018-3290, CVE-2018-3291, CVE-2018-3292, CVE-2018-3293, CVE-2018-3294, CVE-2018-3295, CVE-2018-3296, CVE-2018-3297, CVE-2018-3298

Related News

Kubernetes Security on AWS: A Practical Guide

Nov 18, 2023

Nitrux 3.2.0 Linux Distro Released with Enhanced Security and New Features

Nov 28, 2023

Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

Nov 25, 2023

Severe Firefox, Thunderbird Bugs Could Lead to System Takeover

Dec 2, 2023

News

Advisories

HOWTOs

Features

Using Open Source to Ensure Compliance & Data Integrity through Data Governance
Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!
Unlocking the Future of Authentication: Passkeys vs. Passwords
Empowering MSPs with Straightforward Linux Device Management
A Complete Guide to Torrenting Safely in 2024

About Us

Powered By

Footer Logo