Bug 23421

Summary: virtualbox new security issues CVE-2018-3005, CVE-2018-3055, CVE-2018-308[5-9], CVE-2018-309[01]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, jim, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: virtualbox-5.2.14-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-08-10 17:22:41 CEST 
openSUSE has issued an advisory today (August 10):
https://lists.opensuse.org/opensuse-updates/2018-08/msg00077.html

The issues are fixed upstream in 5.2.16.

Corresponding Oracle CPU:
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixOVIR
Comment 1 Thomas Backlund 2018-08-16 18:18:41 CEST 

I will push out a 5.2.18 based update to testing after we have validated L1TF fixed 4.14.63-1

Status: NEW => ASSIGNED

Comment 2 Thomas Backlund 2018-08-24 22:56:52 CEST 
virtualbox rpms available for tests... advisory will follow...

SRPMS:
kmod-vboxadditions-5.2.18-1.mga6.src.rpm
kmod-virtualbox-5.2.18-1.mga6.src.rpm
virtualbox-5.2.18-1.mga6.src.rpm



i586:
dkms-vboxadditions-5.2.18-1.mga6.noarch.rpm
dkms-virtualbox-5.2.18-1.mga6.noarch.rpm
python-virtualbox-5.2.18-1.mga6.i586.rpm
vboxadditions-kernel-4.14.65-desktop-1.mga6-5.2.18-1.mga6.i586.rpm
vboxadditions-kernel-4.14.65-desktop586-1.mga6-5.2.18-1.mga6.i586.rpm
vboxadditions-kernel-4.14.65-server-1.mga6-5.2.18-1.mga6.i586.rpm
vboxadditions-kernel-desktop586-latest-5.2.18-1.mga6.i586.rpm
vboxadditions-kernel-desktop-latest-5.2.18-1.mga6.i586.rpm
vboxadditions-kernel-server-latest-5.2.18-1.mga6.i586.rpm
virtualbox-5.2.18-1.mga6.i586.rpm
virtualbox-devel-5.2.18-1.mga6.i586.rpm
virtualbox-guest-additions-5.2.18-1.mga6.i586.rpm
virtualbox-kernel-4.14.65-desktop-1.mga6-5.2.18-1.mga6.i586.rpm
virtualbox-kernel-4.14.65-desktop586-1.mga6-5.2.18-1.mga6.i586.rpm
virtualbox-kernel-4.14.65-server-1.mga6-5.2.18-1.mga6.i586.rpm
virtualbox-kernel-desktop586-latest-5.2.18-1.mga6.i586.rpm
virtualbox-kernel-desktop-latest-5.2.18-1.mga6.i586.rpm
virtualbox-kernel-server-latest-5.2.18-1.mga6.i586.rpm
x11-driver-video-vboxvideo-5.2.18-1.mga6.i586.rpm



x86_64:
dkms-vboxadditions-5.2.18-1.mga6.noarch.rpm
dkms-virtualbox-5.2.18-1.mga6.noarch.rpm
python-virtualbox-5.2.18-1.mga6.x86_64.rpm
vboxadditions-kernel-4.14.65-desktop-1.mga6-5.2.18-1.mga6.x86_64.rpm
vboxadditions-kernel-4.14.65-server-1.mga6-5.2.18-1.mga6.x86_64.rpm
vboxadditions-kernel-desktop-latest-5.2.18-1.mga6.x86_64.rpm
vboxadditions-kernel-server-latest-5.2.18-1.mga6.x86_64.rpm
virtualbox-5.2.18-1.mga6.x86_64.rpm
virtualbox-devel-5.2.18-1.mga6.x86_64.rpm
virtualbox-guest-additions-5.2.18-1.mga6.x86_64.rpm
virtualbox-kernel-4.14.65-desktop-1.mga6-5.2.18-1.mga6.x86_64.rpm
virtualbox-kernel-4.14.65-server-1.mga6-5.2.18-1.mga6.x86_64.rpm
virtualbox-kernel-desktop-latest-5.2.18-1.mga6.x86_64.rpm
virtualbox-kernel-server-latest-5.2.18-1.mga6.x86_64.rpm
x11-driver-video-vboxvideo-5.2.18-1.mga6.x86_64.rpm

Assignee: tmb => qa-bugs

Comment 3 James Kerr 2018-08-25 10:56:30 CEST 
on mga6-64

packages installed cleanly
- virtualbox-5.2.18-1.mga6.x86_64
- virtualbox-kernel-4.14.65-desktop-1.mga6-5.2.18-1.mga6.x86_64
- virtualbox-kernel-desktop-latest-5.2.18-1.mga6.x86_64
- dkms-virtualbox-5.2.18-1.mga6.noarch

vbox relaunched normally
extension pack upgraded cleanly
mga6-32 and mga6-64 clients launched normally

OK for mga6-64 on this system:

Machine:   Device: desktop System: Dell product: Precision Tower 3620
           Mobo: Dell model: 09WH54 v: A00 UEFI [Legacy]: Dell v: 2.11.0 
CPU:       Quad core Intel Core i7-6700 (-HT-MCP-)
Graphics:  Card: Intel HD Graphics 530

CC: (none) => jim

Comment 4 James Kerr 2018-08-25 11:01:32 CEST 
in a mga6-32 vbox client:

packages installed cleanly:
- vboxadditions-kernel-4.14.65-desktop-1.mga6-5.2.18-1.mga6.i586
- vboxadditions-kernel-desktop-latest-5.2.18-1.mga6.i586
- virtualbox-guest-additions-5.2.18-1.mga6.i586
- x11-driver-video-vboxvideo-5.2.18-1.mga6.i586
- dkms-vboxadditions-5.2.18-1.mga6.noarch  

client re-launched normally

OK in a mga6-32 client
Comment 5 James Kerr 2018-08-25 11:10:05 CEST 
in a mga6-64 client

packages installed cleanly:
- vboxadditions-kernel-4.14.65-desktop-1.mga6-5.2.18-1.mga6.x86_64
- vboxadditions-kernel-desktop-latest-5.2.18-1.mga6.x86_64
- virtualbox-guest-additions-5.2.18-1.mga6.x86_64
- x11-driver-video-vboxvideo-5.2.18-1.mga6.x86_64

client re-launched normally

OK in a mga6-64 client
Comment 6 James Kerr 2018-08-25 12:17:42 CEST 
(In reply to James Kerr from comment #3)
> on mga6-64
> 

winxp and win7 clients also OK on this system

> 
> Machine:   Device: desktop System: Dell product: Precision Tower 3620
>            Mobo: Dell model: 09WH54 v: A00 UEFI [Legacy]: Dell v: 2.11.0 
> CPU:       Quad core Intel Core i7-6700 (-HT-MCP-)
> Graphics:  Card: Intel HD Graphics 530
James Kerr 2018-08-27 10:35:54 CEST

Whiteboard: (none) => MGA6-64-OK

Comment 7 Thomas Andrews 2018-08-30 01:01:15 CEST 
Host system: HP Probook 6550b, i3,8GB RAM, Intel graphics, Intel wifi, 64-bit Plasma using the desktop kernel.

Guests: Two Mageia 6 Plasma systems, one 64-bit, one 32-bit. Windows XP guest also on this system, but was not checked out for this test.)

Host packages installed cleanly. Updated the extension pack using the "Check for Updates" function of the app. Ran both guests, got pending updates on each, then updated the guest additions and vboxvideo in each.

Guests worked as expected. Looks good here.

CC: (none) => andrewsfarm

Comment 8 Thomas Backlund 2018-08-31 19:11:09 CEST 
Advisory, added to svn:

type: security
subject: Updated virtualbox packages fix security vulnerabilities
CVE:
 - CVE-2018-3005
 - CVE-2018-3055
 - CVE-2018-3085
 - CVE-2018-3086
 - CVE-2018-3087
 - CVE-2018-3088
 - CVE-2018-3089
 - CVE-2018-3090
 - CVE-2018-3091
src:
  6:
   core:
     - virtualbox-5.2.18-1.mga6
     - kmod-virtualbox-5.2.18-1.mga6
     - kmod-vboxadditions-5.2.18-1.mga6
description: |
  This update provides the virtualbox 5.1.18 maintenance release that
  fixes atleast the following security issues:

  Fixed an easily exploitable vulnerability that allowed unauthenticated
  attacker with logon to the infrastructure where Oracle VM VirtualBox
  executes to compromise Oracle VM VirtualBox. Successful attacks of this
  vulnerability can result in unauthorized ability to cause a partial denial
  of service (partial DOS) of Oracle VM VirtualBox (CVE-2018-3005).

  Fixed an easily exploitable vulnerability that allowed unauthenticated
  attacker with logon to the infrastructure where Oracle VM VirtualBox
  executes to compromise Oracle VM VirtualBox. Successful attacks require
  human interaction from a person other than the attacker and while the
  vulnerability is in Oracle VM VirtualBox, attacks may significantly impact
  additional products. Successful attacks of this vulnerability can result
  in unauthorized ability to cause a hang or frequently repeatable crash
  (complete DOS) of Oracle VM VirtualBox and unauthorized read access to a
  subset of Oracle VM VirtualBox accessible data (CVE-2018-3055).

  Fixed an easily exploitable vulnerability that allowed unauthenticated
  attacker with logon to the infrastructure where Oracle VM VirtualBox
  executes to compromise Oracle VM VirtualBox. Successful attacks require
  human interaction from a person other than the attacker and while the
  vulnerability is in Oracle VM VirtualBox, attacks may significantly impact
  additional products. Successful attacks of this vulnerability can result
  in unauthorized creation, deletion or modification access to critical data
  or all Oracle VM VirtualBox accessible data as well as unauthorized read
  access to a subset of Oracle VM VirtualBox accessible data and unauthorized
  ability to cause a hang or frequently repeatable crash (complete DOS) of
  Oracle VM VirtualBox (CVE-2018-3085).

  Fixed an easily exploitable vulnerability that allowed unauthenticated
  attacker with logon to the infrastructure where Oracle VM VirtualBox
  executes to compromise Oracle VM VirtualBox. Successful attacks require
  human interaction from a person other than the attacker and while the
  vulnerability is in Oracle VM VirtualBox, attacks may significantly impact
  additional products. Successful attacks of this vulnerability can result
  in takeover of Oracle VM VirtualBox (CVE-2018-3086, CVE-2018-3087,
  CVE-2018-3088, CVE-2018-3089, CVE-2018-3090).

  Fixed an easily exploitable vulnerability allows unauthenticated attacker
  with logon to the infrastructure where Oracle VM VirtualBox executes to
  compromise Oracle VM VirtualBox. Successful attacks require human
  interaction from a person other than the attacker and while the
  vulnerability is in Oracle VM VirtualBox, attacks may significantly impact
  additional products. Successful attacks of this vulnerability can result
  in unauthorized access to critical data or complete access to all Oracle
  VM VirtualBox accessible data (CVE-2018-3091).

  For other fixes in this update, see the referenced changelog.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=23421
 - http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixOVIR
 - https://lists.opensuse.org/opensuse-updates/2018-08/msg00077.html
 - https://www.virtualbox.org/wiki/Changelog#18

Keywords: (none) => advisory
CC: (none) => tmb

Thomas Backlund 2018-08-31 22:12:44 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2018-08-31 23:13:17 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0360.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED