VDB
GCVE-110-MAGEIA-2018-437
GCVE-110-MAGEIA-2018-437
Advisory Published
This update provides virtualbox 5.2.20 and fixes the following security
vulnerabilities:
During key agreement in a TLS handshake using a DH(E) based ciphersuite
a malicious server can send a very large prime value to the client. This
will cause the client to spend an unreasonably long period of time
generating a key for this prime resulting in a hang until the client has
finished. This could be exploited in a Denial Of Service attack
(CVE-2018-0732).
Vulnerability in VirtualBox contains an easily exploitable vulnerability
that allows unauthenticated attacker with logon to the infrastructure
where VirtualBox executes to compromise VirtualBox. Successful attacks
require human interaction from a person other than the attacker and while
the vulnerability is in VirtualBox, attacks may significantly impact
additional products. Successful attacks of this vulnerability can result
in takeover of VirtualBox (CVE-2018-2909, CVE-2018-3287, (CVE-2018-3288,
CVE-2018-3289, CVE-2018-3290, CVE-2018-3291, CVE-2018-3292, CVE-2018-3293,
CVE-2018-3295, CVE-2018-3296, CVE-2018-3297, CVE-2018-3298).
Vulnerability in VirtualBox contains an easily exploitable vulnerability
that allows unauthenticated attacker with llow privileged attacker with
network access via VRDP to compromise VirtualBox. Successful attacks
require human interaction from a person other than the attacker and while
the vulnerability is in VirtualBox, attacks may significantly impact
additional products. Successful attacks of this vulnerability can result
in takeover of VirtualBox (CVE-2018-3294).
For other fixes in this update, see the referenced changelog.
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Mageia | kmod-virtualbox | 0 (affected), 5.2.20-1.mga6 (unaffected) | — |
| Mageia | virtualbox | 0 (affected), 5.2.20-1.mga6 (unaffected) | — |
| Mageia | kmod-vboxadditions | 0 (affected), 5.2.20-1.mga6 (unaffected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.