Bug 23719

Summary: virtualbox new security issues CVE-2018-2909, CVE-2018-328[7-9], CVE-2018-329[0-8]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, jim, sysadmin-bugs, tmb, wilcal.int
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: virtualbox-5.2.18-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-10-17 23:11:57 CEST 
October 2018 Oracle CPU says VirtualBox 5.2.20 fixed several security issues:
https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixOVIR
https://www.virtualbox.org/wiki/Changelog#20
David Walser 2018-10-17 23:12:36 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Thomas Backlund 2018-10-30 12:56:03 CET 
Advisory will follow...

SRPMS:
kmod-vboxadditions-5.2.20-1.mga6.src.rpm
kmod-virtualbox-5.2.20-1.mga6.src.rpm
virtualbox-5.2.20-1.mga6.src.rpm


i586:
dkms-vboxadditions-5.2.20-1.mga6.noarch.rpm
dkms-virtualbox-5.2.20-1.mga6.noarch.rpm
python-virtualbox-5.2.20-1.mga6.i586.rpm
vboxadditions-kernel-4.14.78-desktop-1.mga6-5.2.20-1.mga6.i586.rpm
vboxadditions-kernel-4.14.78-desktop586-1.mga6-5.2.20-1.mga6.i586.rpm
vboxadditions-kernel-4.14.78-server-1.mga6-5.2.20-1.mga6.i586.rpm
vboxadditions-kernel-desktop586-latest-5.2.20-1.mga6.i586.rpm
vboxadditions-kernel-desktop-latest-5.2.20-1.mga6.i586.rpm
vboxadditions-kernel-server-latest-5.2.20-1.mga6.i586.rpm
virtualbox-5.2.20-1.mga6.i586.rpm
virtualbox-devel-5.2.20-1.mga6.i586.rpm
virtualbox-guest-additions-5.2.20-1.mga6.i586.rpm
virtualbox-kernel-4.14.78-desktop-1.mga6-5.2.20-1.mga6.i586.rpm
virtualbox-kernel-4.14.78-desktop586-1.mga6-5.2.20-1.mga6.i586.rpm
virtualbox-kernel-4.14.78-server-1.mga6-5.2.20-1.mga6.i586.rpm
virtualbox-kernel-desktop586-latest-5.2.20-1.mga6.i586.rpm
virtualbox-kernel-desktop-latest-5.2.20-1.mga6.i586.rpm
virtualbox-kernel-server-latest-5.2.20-1.mga6.i586.rpm
x11-driver-video-vboxvideo-5.2.20-1.mga6.i586.rpm


x86_64:
dkms-vboxadditions-5.2.20-1.mga6.noarch.rpm
dkms-virtualbox-5.2.20-1.mga6.noarch.rpm
python-virtualbox-5.2.20-1.mga6.x86_64.rpm
vboxadditions-kernel-4.14.78-desktop-1.mga6-5.2.20-1.mga6.x86_64.rpm
vboxadditions-kernel-4.14.78-server-1.mga6-5.2.20-1.mga6.x86_64.rpm
vboxadditions-kernel-desktop-latest-5.2.20-1.mga6.x86_64.rpm
vboxadditions-kernel-server-latest-5.2.20-1.mga6.x86_64.rpm
virtualbox-5.2.20-1.mga6.x86_64.rpm
virtualbox-devel-5.2.20-1.mga6.x86_64.rpm
virtualbox-guest-additions-5.2.20-1.mga6.x86_64.rpm
virtualbox-kernel-4.14.78-desktop-1.mga6-5.2.20-1.mga6.x86_64.rpm
virtualbox-kernel-4.14.78-server-1.mga6-5.2.20-1.mga6.x86_64.rpm
virtualbox-kernel-desktop-latest-5.2.20-1.mga6.x86_64.rpm
virtualbox-kernel-server-latest-5.2.20-1.mga6.x86_64.rpm
x11-driver-video-vboxvideo-5.2.20-1.mga6.x86_64.rpm

Assignee: tmb => qa-bugs
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 2 James Kerr 2018-10-30 17:22:14 CET 
on mga6-64 plasma

packages installed cleanly
- dkms-virtualbox-5.2.20-1.mga6.noarch
- virtualbox-5.2.20-1.mga6.x86_64
- virtualbox-kernel-4.14.78-desktop-1.mga6-5.2.20-1.mga6.x86_64
- virtualbox-kernel-desktop-latest-5.2.20-1.mga6.x86_64

vbox relaunched normally
extension pack upgraded cleanly
mga6-32 (plasma) and mga6-64 (plasma) clients launched normally

updated vboxadditions and vboxvideo on mga6-32 and mga6-64 clients
both re-launched normally
no regressions noted

OK for mga6-64 on this system:

Machine:   Device: desktop System: Dell product: Precision Tower 3620
           Mobo: Dell model: 09WH54 v: A00 UEFI [Legacy]: Dell v: 2.11.0 
CPU:       Quad core Intel Core i7-6700 (-HT-MCP-)
Graphics:  Card: Intel HD Graphics 530

CC: (none) => jim

James Kerr 2018-10-30 17:25:45 CET

Whiteboard: (none) => MGA6-64-OK

Comment 3 Thomas Andrews 2018-10-31 21:00:07 CET 
On an HP Probook 6550b host, i3, 8GB, Intel graphics, Intel wifi, 64-bit Plasma system.

This system does not have dkms-virtualbox installed by design, to ensure that the pre-built kernel modules are tested, and not those built locally. None of the Mageia guests have dkms installed, for the same reason.

Packages installed cleanly.

- virtualbox-5.2.20-1.mga6.x86_64
- virtualbox-kernel-4.14.78-desktop-1.mga6-5.2.20-1.mga6.x86_64
- virtualbox-kernel-desktop-latest-5.2.20-1.mga6.x86_64

VirtualBox launched normally, extension pack downloaded and installed without incident. Mageia 6 32-bit and 64-bit Plasma guests run, updated, rebooted, and vboxadditions updated to version 5.2.20. Windows XP guest run, guest additions downloaded and updated, antimalware program updated after scolding. 

All guests run normally. Ok on this hardware.

CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2018-10-31 22:14:23 CET 
Used the above install to create a new Mageia 6.1 Plasma guest, and update it. Everything worked as expected.
Comment 5 William Kenney 2018-11-02 00:47:49 CET 
On real hardware, M6, Plasma, 64-bit

Package(s) under test:
virtualbox

default install of packages:
kernel-desktop-latest
virtualbox vboxadditions-kernel-desktop-latest dkms-virtualbox
virtualbox-guest-additions virtualbox-kernel-desktop-latest x11-driver-video-vboxvideo
kernel-desktop-devel-latest

The following 10 packages are going to be installed:

- dkms-virtualbox-5.2.18-1.mga6.noarch
- vboxadditions-kernel-4.14.78-desktop-1.mga6-5.2.18-10.mga6.x86_64
- vboxadditions-kernel-desktop-latest-5.2.18-10.mga6.x86_64
- virtualbox-5.2.18-1.mga6.x86_64
- virtualbox-doc-5.1.30-1.mga6.noarch
- virtualbox-guest-additions-5.2.18-1.mga6.x86_64
- virtualbox-kernel-4.14.78-desktop-1.mga6-5.2.18-10.mga6.x86_64
- virtualbox-kernel-desktop-latest-5.2.18-10.mga6.x86_64
- x11-driver-video-vboxvideo-5.2.18-1.mga6.x86_64
- xrandr-1.5.0-1.mga6.x86_64

[root@localhost wilcal]# uname -a
Linux localhost 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.14.78-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-5.2.18-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest
Package vboxadditions-kernel-desktop-latest-5.2.18-10.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi dkms-virtualbox
Package dkms-virtualbox-5.2.18-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi virtualbox-guest-additions
Package virtualbox-guest-additions-5.2.18-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox-kernel-desktop-latest
Package virtualbox-kernel-desktop-latest-5.2.18-10.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi x11-driver-video-vboxvideo
Package x11-driver-video-vboxvideo-5.2.18-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi kernel-desktop-devel-latest
Package kernel-desktop-devel-latest-4.14.78-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi dkms-nvidia-current
Package dkms-nvidia-current-390.87-1.mga6.nonfree.x86_64 is already installed
[wilcal@localhost ~]$ lspci -k
01:00.0 VGA compatible controller: NVIDIA Corporation GF108 [GeForce GT 440] (rev a1)
        Subsystem: Gigabyte Technology Co., Ltd Device 3518
        Kernel driver in use: nvidia
        Kernel modules: nvidiafb, nouveau, nvidia_drm, nvidia_current

Mageia-6-LiveDVD-Xfce-i586-DVD.iso
Boots to a working desktop. Common apps work.
Screen sizes are correct.

install from updates testing:
kernel-desktop-latest
virtualbox vboxadditions-kernel-desktop-latest dkms-virtualbox
virtualbox-guest-additions virtualbox-kernel-desktop-latest x11-driver-video-vboxvideo
kernel-desktop-devel-latest

The following 8 packages are going to be installed:

- dkms-virtualbox-5.2.20-1.mga6.noarch
- vboxadditions-kernel-4.14.78-desktop-1.mga6-5.2.20-1.mga6.x86_64
- vboxadditions-kernel-desktop-latest-5.2.20-1.mga6.x86_64
- virtualbox-5.2.20-1.mga6.x86_64
- virtualbox-guest-additions-5.2.20-1.mga6.x86_64
- virtualbox-kernel-4.14.78-desktop-1.mga6-5.2.20-1.mga6.x86_64
- virtualbox-kernel-desktop-latest-5.2.20-1.mga6.x86_64
- x11-driver-video-vboxvideo-5.2.20-1.mga6.x86_64

[root@localhost wilcal]# uname -a
Linux localhost 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.14.78-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-5.2.20-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest
Package vboxadditions-kernel-desktop-latest-5.2.20-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi dkms-virtualbox
Package dkms-virtualbox-5.2.20-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi virtualbox-guest-additions
Package virtualbox-guest-additions-5.2.20-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox-kernel-desktop-latest
Package virtualbox-kernel-desktop-latest-5.2.20-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi x11-driver-video-vboxvideo
Package x11-driver-video-vboxvideo-5.2.20-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi kernel-desktop-devel-latest
Package kernel-desktop-devel-latest-4.14.78-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi dkms-nvidia-current
Package dkms-nvidia-current-390.87-1.mga6.nonfree.x86_64 is already installed
[wilcal@localhost ~]$ lspci -k
01:00.0 VGA compatible controller: NVIDIA Corporation GF108 [GeForce GT 440] (rev a1)
        Subsystem: Gigabyte Technology Co., Ltd Device 3518
        Kernel driver in use: nvidia
        Kernel modules: nvidiafb, nouveau, nvidia_drm, nvidia_current


Mageia-6-LiveDVD-GNOME-x86_64-DVD.iso
M6 x86_64 Gnome Live-DVD runs as a Vbox client.
Boots to a working desktop. Common apps work.
Screen sizes are correct.

Mageia-6.1-LiveDVD-Plasma-x86_64-DVD.iso
Installs, updates then boots back to a working desktop.

Hardware used:

Intel Core i5-4460 Haswell Quad-Core 3.2GHz LGA 115
Gigabyte GA-B85M-D3H LGA 1150 Intel B85 chipset
Integrated Graphics Processor - Intel HD Graphics support
Audito chipset - Realtek ALC892, 7.1 channels
Corsair Vengeance 8GB ( 2 x 4GB ) 240-pin DDR3 SDRAM 1600

CC: (none) => wilcal.int

Comment 6 Thomas Andrews 2018-11-02 01:52:31 CET 
Host hardware: Athlon X2 7750, 8GB RAM, Nvidia 9800 GT graphics(nvidia340 driver), Atheros wifi. Host is running a 64-bit Plasma system, using the server kernel.

As with the system in Comment 3, this system does not have dkms-virtualbox installed, to ensure that the pre-built kernel modules would be the ones used.

guest systems: 1 64-bit MGA6 Plasma system, 1 32-bit MGA6 Plasma system, and one Windows XP system.

Host packages installed cleanly, host extension pack updated without incident. Each guest, in turn, was updated, and all packages in them installed cleanly, as well.

Looks good on this hardware.
Comment 7 Thomas Andrews 2018-11-02 23:09:57 CET 
I updated this on a third 64-bit install, then exported guests from the machine in Comment 3 and imported them into this third install. All without incident, and all worked fine in the new install afterward.

I see no reason to hold this back any longer. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2018-11-03 11:38:08 CET 
Advisory, added to svn:

type: security
subject: Updated virtualbox packages fix security vulnerabilities
CVE:
 - CVE-2018-0732
 - CVE-2018-2909
 - CVE-2018-3287
 - CVE-2018-3288
 - CVE-2018-3289
 - CVE-2018-3290
 - CVE-2018-3291
 - CVE-2018-3292
 - CVE-2018-3293
 - CVE-2018-3294
 - CVE-2018-3295
 - CVE-2018-3296
 - CVE-2018-3297
 - CVE-2018-3298
src:
  6:
   core:
     - virtualbox-5.2.20-1.mga6
     - kmod-virtualbox-5.2.20-1.mga6
     - kmod-vboxadditions-5.2.20-1.mga6
description: |
  This update provides virtualbox 5.2.20 and fixes the following security
  vulnerabilities:

  During key agreement in a TLS handshake using a DH(E) based ciphersuite
  a malicious server can send a very large prime value to the client. This
  will cause the client to spend an unreasonably long period of time
  generating a key for this prime resulting in a hang until the client has
  finished. This could be exploited in a Denial Of Service attack
  (CVE-2018-0732).

  Vulnerability in VirtualBox contains an easily exploitable vulnerability
  that allows unauthenticated attacker with logon to the infrastructure
  where VirtualBox executes to compromise VirtualBox. Successful attacks
  require human interaction from a person other than the attacker and while
  the vulnerability is in VirtualBox, attacks may significantly impact
  additional products. Successful attacks of this vulnerability can result
  in takeover of VirtualBox (CVE-2018-2909, CVE-2018-3287, (CVE-2018-3288,
  CVE-2018-3289, CVE-2018-3290, CVE-2018-3291, CVE-2018-3292, CVE-2018-3293,
  CVE-2018-3295, CVE-2018-3296, CVE-2018-3297, CVE-2018-3298).

  Vulnerability in VirtualBox contains an easily exploitable vulnerability
  that allows unauthenticated attacker with llow privileged attacker with
  network access via VRDP to compromise VirtualBox. Successful attacks
  require human interaction from a person other than the attacker and while
  the vulnerability is in VirtualBox, attacks may significantly impact
  additional products. Successful attacks of this vulnerability can result
  in takeover of VirtualBox (CVE-2018-3294).

  For other fixes in this update, see the referenced changelog.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=23719
 - https://www.virtualbox.org/wiki/Changelog#20
 - https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixOVIR

CC: (none) => tmb
Keywords: (none) => advisory

Comment 9 Mageia Robot 2018-11-03 12:56:43 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0437.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED