Detections
Analytics

Debian DLA-313-1 : virtualbox-ose security update

medium Nessus Plugin ID 86195

Language:

Synopsis

The remote Debian host is missing a security update.

Description

The latest maintenance release of the VirtualBox (OSE) 3.2.x series (i.e., version 3.2.28) has been uploaded to Debian LTS (squeeze).
Thanks to Gianfranco Costamagna for preparing packages for review and upload by the Debian LTS Team.

Unfortunately, Oracle no longer provides information on specific security vulnerabilities in VirtualBox, thus we provide their latest 3.2.28 maintenance release in Debian LTS (squeeze) directly.

CVE-2013-3792

Oracle reported an unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.18, 4.0.20, 4.1.28, and 4.2.18 allows local users to affect availability via unknown vectors related to Core.

The fix for CVE-2013-3792 prevents a virtio-net host DoS vulnerability by adding large frame support to IntNet, VirtioNet and NetFilter plus dropping oversized frames.

CVE-2014-2486

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect integrity and availability via unknown vectors related to Core.

No further details have been provided, the attack range has been given as local, severity low.

CVE-2014-2488

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality via unknown vectors related to Core.

No further details can been provided, the attack range has been given as local, severity low.

CVE-2014-2489

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core.

No further details can been provided, the attack range has been given as local, severity medium.

CVE-2015-2594

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 4.0.32, 4.1.40, 4.2.32, and 4.3.30 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core.

This update fixes an issue related to guests using bridged networking via WiFi.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected packages.

See Also

https://lists.debian.org/debian-lts-announce/2015/09/msg00013.html

https://packages.debian.org/source/squeeze-lts/virtualbox-ose

Plugin Details

Severity: Medium

ID: 86195

File Name: debian_DLA-313.nasl

Version: 2.5

Type: local

Agent: unix

Published: 9/30/2015

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.6

Temporal Score: 5.2

Vector: CVSS2#AV:L/AC:M/Au:S/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:virtualbox-ose-dkms, p-cpe:/a:debian:debian_linux:virtualbox-ose-guest-source, p-cpe:/a:debian:debian_linux:virtualbox-ose-fuse, p-cpe:/a:debian:debian_linux:virtualbox-ose-guest-x11, p-cpe:/a:debian:debian_linux:virtualbox-ose-qt, p-cpe:/a:debian:debian_linux:virtualbox-ose-guest-utils, cpe:/o:debian:debian_linux:6.0, p-cpe:/a:debian:debian_linux:virtualbox-ose-dbg, p-cpe:/a:debian:debian_linux:virtualbox-ose, p-cpe:/a:debian:debian_linux:virtualbox-ose-source, p-cpe:/a:debian:debian_linux:virtualbox-ose-guest-dkms

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/29/2015

Reference Information

CVE: CVE-2013-3792, CVE-2014-2486, CVE-2014-2488, CVE-2014-2489, CVE-2015-2594

BID: 60794, 68610, 68618, 68621, 75899