Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0058
Security Advisory: Oracle Virtualization
20 April 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Virtualization
Operating System: Virtualisation
Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Access Privileged Data -- Existing Account
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-3731 CVE-2017-3587 CVE-2017-3576
CVE-2017-3575 CVE-2017-3563 CVE-2017-3561
CVE-2017-3559 CVE-2017-3558 CVE-2017-3538
CVE-2017-3513 CVE-2016-8743 CVE-2016-5407
CVE-2016-3739 CVE-2016-0762 CVE-2013-1982
Member content until: Saturday, May 20 2017
Reference: ASB-2017.0021
ESB-2017.0930
ESB-2017.0865
ESB-2017.0814
ESB-2017.0715
OVERVIEW
Multiple vulnerabilities have been identified in the following
components of Oracle Virtualization:
Oracle VM VirtualBox, version(s) prior to 5.0.38, prior to 5.1.20
Secure Global Desktop, version(s) 4.71, 5.2, 5.3. [1]
IMPACT
The vendor has provided the following information:
"CVE-2016-5407 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Easily exploitable vulnerability allows unauthenticated attacker
with network access via TCP to compromise Secure Global Desktop.
Successful attacks of this vulnerability can result in takeover of
Secure Global Desktop.
CVE-2017-3561 8.8 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Easily exploitable vulnerability allows low privileged attacker with
logon to the infrastructure where Oracle VM VirtualBox executes to
compromise Oracle VM VirtualBox. While the vulnerability is in
Oracle VM VirtualBox, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
takeover of Oracle VM VirtualBox.
CVE-2017-3563 8.8 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Easily exploitable vulnerability allows low privileged attacker with
logon to the infrastructure where Oracle VM VirtualBox executes to
compromise Oracle VM VirtualBox. While the vulnerability is in
Oracle VM VirtualBox, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
takeover of Oracle VM VirtualBox.
CVE-2017-3576 8.8 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Easily exploitable vulnerability allows low privileged attacker with
logon to the infrastructure where Oracle VM VirtualBox executes to
compromise Oracle VM VirtualBox. While the vulnerability is in
Oracle VM VirtualBox, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
takeover of Oracle VM VirtualBox.
CVE-2017-3558 8.5 AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
Easily exploitable vulnerability allows unauthenticated attacker
with logon to the infrastructure where Oracle VM VirtualBox executes
to compromise Oracle VM VirtualBox. While the vulnerability is in
Oracle VM VirtualBox, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of Oracle VM VirtualBox as well as unauthorized
update, insert or delete access to some of Oracle VM VirtualBox
accessible data and unauthorized read access to a subset of Oracle
VM VirtualBox accessible data.
CVE-2017-3587 8.4 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
Easily exploitable vulnerability allows low privileged attacker with
logon to the infrastructure where Oracle VM VirtualBox executes to
compromise Oracle VM VirtualBox. While the vulnerability is in
Oracle VM VirtualBox, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
unauthorized creation, deletion or modification access to critical
data or all Oracle VM VirtualBox accessible data and unauthorized
ability to cause a hang or frequently repeatable crash (complete
DOS) of Oracle VM VirtualBox.
CVE-2017-3559 7.9 AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H
Easily exploitable vulnerability allows low privileged attacker with
logon to the infrastructure where Oracle VM VirtualBox executes to
compromise Oracle VM VirtualBox. While the vulnerability is in
Oracle VM VirtualBox, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of Oracle VM VirtualBox as well as unauthorized
update, insert or delete access to some of Oracle VM VirtualBox
accessible data and unauthorized read access to a subset of Oracle
VM VirtualBox accessible data.
CVE-2017-3575 7.9 AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
Easily exploitable vulnerability allows high privileged attacker
with logon to the infrastructure where Oracle VM VirtualBox executes
to compromise Oracle VM VirtualBox. While the vulnerability is in
Oracle VM VirtualBox, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
unauthorized creation, deletion or modification access to critical
data or all Oracle VM VirtualBox accessible data and unauthorized
ability to cause a hang or frequently repeatable crash (complete
DOS) of Oracle VM VirtualBox.
CVE-2017-3538 7.5 AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Difficult to exploit vulnerability allows low privileged attacker
with logon to the infrastructure where Oracle VM VirtualBox executes
to compromise Oracle VM VirtualBox. While the vulnerability is in
Oracle VM VirtualBox, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
unauthorized creation, deletion or modification access to critical
data or all Oracle VM VirtualBox accessible data as well as
unauthorized access to critical data or complete access to all
Oracle VM VirtualBox accessible data.
CVE-2017-3731 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Difficult to exploit vulnerability allows unauthenticated attacker
with network access via SSL/TLS to compromise Secure Global Desktop.
Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of Secure Global Desktop.
CVE-2013-1982 5.6 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Difficult to exploit vulnerability allows unauthenticated attacker
with network access via TCP to compromise Secure Global Desktop.
Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Secure Global Desktop
accessible data as well as unauthorized read access to a subset of
Secure Global Desktop accessible data and unauthorized ability to
cause a partial denial of service (partial DOS) of Secure Global
Desktop.
CVE-2016-3739 4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Difficult to exploit vulnerability allows unauthenticated attacker
with network access via multiple protocols to compromise Secure
Global Desktop. Successful attacks of this vulnerability can result
in unauthorized update, insert or delete access to some of Secure
Global Desktop accessible data as well as unauthorized read access
to a subset of Secure Global Desktop accessible data.
CVE-2016-8743 4.0 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
Difficult to exploit vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Secure Global Desktop.
While the vulnerability is in Secure Global Desktop, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in unauthorized read access to a subset of
Secure Global Desktop accessible data.
CVE-2016-0762 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Difficult to exploit vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Secure Global Desktop.
Successful attacks of this vulnerability can result in unauthorized
read access to a subset of Secure Global Desktop accessible data.
CVE-2017-3513 2.5 AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
Difficult to exploit vulnerability allows high privileged attacker
with logon to the infrastructure where Oracle VM VirtualBox executes
to compromise Oracle VM VirtualBox. While the vulnerability is in
Oracle VM VirtualBox, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
unauthorized read access to a subset of Oracle VM VirtualBox
accessible data." [2]
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply CPU fixes as soon as possible. Until
you apply the CPU fixes, it may be possible to reduce the risk of
successful attack by blocking network protocols required by an
attack. For attacks that require certain privileges or access to
certain packages, removing the privileges or the ability to access
the packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may break
application functionality, so Oracle strongly recommends that
customers test changes on non-production systems. Neither approach
should be considered a long-term solution as neither corrects the
underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - April 2017
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
[2] Text Form of Oracle Critical Patch Update - April 2017 Risk
Matrices
https://www.oracle.com/technetwork/topics/security/cpuapr2017verbose-3236619.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWPhTUIx+lLeg9Ub1AQgLExAAlIKTIZsA3X6RiKJP8EwBBAUzJ6wYsGpC
NEob+jST9jfqWY6BR5hAGBmcfAU+xm6GUcHUnvMvad8mOifttzSuUIbWwVQLSPAY
obslZlYDce+YH+oqVnqhR7E4P32ziROxxKxmKs6srJ1458wTZlAPguMBFhzhBAhd
fuIqGGb2UafXAp2JUaqZCZZ6W6mlDU16HxsPmD/xIyrFe7OrMoYSak7vbibRI8uA
0Mq9sivmipBE77ZPhv72F4HB7LwPIXGrgPpEfD/kJqjbzrPsfccKDCq2eAy6hA+z
4Oe+HrZ3C0X4C5GSlQEW/flV6KMuOS4mPTjR9rmNKHyKceG23yXtd09jBpVSqYG1
H1A0c7jnlEGB81yRCKSpU+3oTVIu2+1V9CH/hyJ6+m3gXWmvyVTZgQDC1nm69jIE
ZbgOmcREQp0FZ0pLfmjTzygQxcrl6d7/ODAFacCHeGVNir1boyEYwoi3LX/M9glt
Ot7JTKhxD52PvXZ7OorRxkmChOPy7OKFtCDVeVbiVL4evCW9J++Li62rwD0C7pfR
VhRHYPDRdhvv2IpcZv/RoVaiRTgB8+85djzUmeQP2CGCNubVT3xUcU30k2aD+KP1
a+EMjRZBCkqX6WJ44Yh8aWPH/FSDnwBFYMnEoreoYC6Bg1KxqOOpI1ULW7HpvSFP
ktFhgp1CgEg=
=MmCQ
-----END PGP SIGNATURE-----