openSUSE 15 Security Update : virtualbox (openSUSE-SU-2021:0723-1)

high Nessus Plugin ID 149539

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

This update for virtualbox fixes the following issues :

- A Incorrect Default Permissions vulnerability in the packaging of virtualbox of openSUSE Factory allows local attackers in the vboxusers groupu to escalate to root. This issue affects: openSUSE Factory virtualbox version 6.1.20-1.1 and prior versions. (CVE-2021-25319)

- Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. (CVE-2021-2145, CVE-2021-2309, CVE-2021-2310)

- Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. (CVE-2021-2250)

- Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data.
(CVE-2021-2264)

- Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. (CVE-2021-2266, CVE-2021-2306)

- Improve autostart security boo#1182918.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1182918

http://www.nessus.org/u?441fb2bc

https://www.suse.com/security/cve/CVE-2021-2145

https://www.suse.com/security/cve/CVE-2021-2250

https://www.suse.com/security/cve/CVE-2021-2264

https://www.suse.com/security/cve/CVE-2021-2266

https://www.suse.com/security/cve/CVE-2021-2279

https://www.suse.com/security/cve/CVE-2021-2280

https://www.suse.com/security/cve/CVE-2021-2281

https://www.suse.com/security/cve/CVE-2021-2282

https://www.suse.com/security/cve/CVE-2021-2283

https://www.suse.com/security/cve/CVE-2021-2284

https://www.suse.com/security/cve/CVE-2021-2285

https://www.suse.com/security/cve/CVE-2021-2286

https://www.suse.com/security/cve/CVE-2021-2287

https://www.suse.com/security/cve/CVE-2021-2291

https://www.suse.com/security/cve/CVE-2021-2296

https://www.suse.com/security/cve/CVE-2021-2297

https://www.suse.com/security/cve/CVE-2021-2306

https://www.suse.com/security/cve/CVE-2021-2309

https://www.suse.com/security/cve/CVE-2021-2310

https://www.suse.com/security/cve/CVE-2021-2312

https://www.suse.com/security/cve/CVE-2021-25319

Plugin Details

Severity: High

ID: 149539

File Name: openSUSE-2021-723.nasl

Version: 1.8

Type: local

Agent: unix

Published: 5/18/2021

Updated: 11/28/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.1

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2021-25319

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:virtualbox-guest-source, p-cpe:/a:novell:opensuse:virtualbox-guest-tools, p-cpe:/a:novell:opensuse:virtualbox-guest-x11, p-cpe:/a:novell:opensuse:virtualbox-devel, p-cpe:/a:novell:opensuse:virtualbox-kmp-default, p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons, p-cpe:/a:novell:opensuse:virtualbox-qt, p-cpe:/a:novell:opensuse:virtualbox-websrv, cpe:/o:novell:opensuse:15.2, p-cpe:/a:novell:opensuse:virtualbox-vnc, p-cpe:/a:novell:opensuse:virtualbox, p-cpe:/a:novell:opensuse:virtualbox-kmp-preempt, p-cpe:/a:novell:opensuse:virtualbox-host-source, p-cpe:/a:novell:opensuse:python3-virtualbox

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/9/2021

Vulnerability Publication Date: 4/20/2021

Reference Information

CVE: CVE-2021-2145, CVE-2021-2250, CVE-2021-2264, CVE-2021-2266, CVE-2021-2279, CVE-2021-2280, CVE-2021-2281, CVE-2021-2282, CVE-2021-2283, CVE-2021-2284, CVE-2021-2285, CVE-2021-2286, CVE-2021-2287, CVE-2021-2291, CVE-2021-2296, CVE-2021-2297, CVE-2021-2306, CVE-2021-2309, CVE-2021-2310, CVE-2021-2312, CVE-2021-25319