VDB

GCVE-110-MAGEIA-2018-437

GCVE-110-MAGEIA-2018-437
Advisory Published
Vulnetix · Advisory published November 3, 2018
This update provides virtualbox 5.2.20 and fixes the following security vulnerabilities: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (CVE-2018-0732). Vulnerability in VirtualBox contains an easily exploitable vulnerability that allows unauthenticated attacker with logon to the infrastructure where VirtualBox executes to compromise VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of VirtualBox (CVE-2018-2909, CVE-2018-3287, (CVE-2018-3288, CVE-2018-3289, CVE-2018-3290, CVE-2018-3291, CVE-2018-3292, CVE-2018-3293, CVE-2018-3295, CVE-2018-3296, CVE-2018-3297, CVE-2018-3298). Vulnerability in VirtualBox contains an easily exploitable vulnerability that allows unauthenticated attacker with llow privileged attacker with network access via VRDP to compromise VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of VirtualBox (CVE-2018-3294). For other fixes in this update, see the referenced changelog.

Affected Products

VendorProductVersionsPlatforms
Mageiakmod-virtualbox0 (affected), 5.2.20-1.mga6 (unaffected)
Mageiavirtualbox0 (affected), 5.2.20-1.mga6 (unaffected)
Mageiakmod-vboxadditions0 (affected), 5.2.20-1.mga6 (unaffected)

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›