Bug#1029153: virtualbox: CVE-2023-21884 CVE-2023-21885 CVE-2023-21886 CVE-2023-21889 CVE-2023-21898 CVE-2023-21899

[Andres Salomon]

On Wed, 18 Jan 2023 17:28:47 +0100 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= 
 wrote:

> Source: virtualbox
> X-Debbugs-CC: t...@security.debian.org
> Severity: grave
> Tags: security
>
> Hi,
>
> The following vulnerabilities were published for virtualbox.
>
> Fixed in 7.0.6
>

Also fixed in 6.1.42. Bullseye-fasttrack currently has 6.1.40. I'm 
curious if you think the 7.0 series is stable enough for 
bullseye-fasttrack yet?

Bug#1029153: virtualbox: CVE-2023-21884 CVE-2023-21885 CVE-2023-21886 CVE-2023-21889 CVE-2023-21898 CVE-2023-21899

[Moritz Mühlenhoff]

Source: virtualbox
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for virtualbox.

Fixed in 7.0.6

CVE-2023-21884[0]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable
| vulnerability allows high privileged attacker with logon to the
| infrastructure where Oracle VM VirtualBox executes to compromise
| Oracle VM VirtualBox. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base
| Score 4.4 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21885[1]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable
| vulnerability allows low privileged attacker with logon to the
| infrastructure where Oracle VM VirtualBox executes to compromise
| Oracle VM VirtualBox. While the vulnerability is in Oracle VM
| VirtualBox, attacks may significantly impact additional products
| (scope change). Successful attacks of this vulnerability can result in
| unauthorized read access to a subset of Oracle VM VirtualBox
| accessible data. Note: Applies to Windows only. CVSS 3.1 Base Score
| 3.8 (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N).


CVE-2023-21886[2]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Difficult to exploit
| vulnerability allows unauthenticated attacker with network access via
| multiple protocols to compromise Oracle VM VirtualBox. Successful
| attacks of this vulnerability can result in takeover of Oracle VM
| VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and
| Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).


CVE-2023-21889[3]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable
| vulnerability allows low privileged attacker with logon to the
| infrastructure where Oracle VM VirtualBox executes to compromise
| Oracle VM VirtualBox. While the vulnerability is in Oracle VM
| VirtualBox, attacks may significantly impact additional products
| (scope change). Successful attacks of this vulnerability can result in
| unauthorized read access to a subset of Oracle VM VirtualBox
| accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality impacts).
| CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N).


CVE-2023-21898[4]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable
| vulnerability allows low privileged attacker with logon to the
| infrastructure where Oracle VM VirtualBox executes to compromise
| Oracle VM VirtualBox. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: Applies
| to VirtualBox VMs running Windows 7 and later. CVSS 3.1 Base Score 5.5
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21899[5]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable
| vulnerability allows low privileged attacker with logon to the
| infrastructure where Oracle VM VirtualBox executes to compromise
| Oracle VM VirtualBox. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: Applies
| to VirtualBox VMs running Windows 7 and later. CVSS 3.1 Base Score 5.5
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-21884
https://www.cve.org/CVERecord?id=CVE-2023-21884
[1] https://security-tracker.debian.org/tracker/CVE-2023-21885
https://www.cve.org/CVERecord?id=CVE-2023-21885
[2] https://security-tracker.debian.org/tracker/CVE-2023-21886
https://www.cve.org/CVERecord?id=CVE-2023-21886
[3] https://security-tracker.debian.org/tracker/CVE-2023-21889