Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0033
Multiple vulnerabilities have been identified in Oracle Virtualization
17 January 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Virtualization
Operating System: Windows
Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-2698 CVE-2018-2694 CVE-2018-2693
CVE-2018-2690 CVE-2018-2689 CVE-2018-2688
CVE-2018-2687 CVE-2018-2686 CVE-2018-2685
CVE-2018-2676 CVE-2017-5715 CVE-2017-5645
CVE-2017-3736
Member content until: Friday, February 16 2018
Reference: ASB-2018.0031
ASB-2018.0030
ASB-2018.0028
ASB-2018.0027
ASB-2018.0026
ASB-2018.0019
ASB-2018.0017
ASB-2018.0015
ASB-2018.0013
OVERVIEW
Multiple vulnerabilities have been identified in
Oracle Secure Global Desktop (SGD), version 5.3
Oracle VM VirtualBox, versions prior to 5.1.32, prior to
5.2.6
[1]
IMPACT
The vendor has provided the following information regarding
the vulnerabilities:
"This Critical Patch Update contains 14 new security fixes
for Oracle Virtualization. 3 of these vulnerabilities may
be remotely exploitable without authentication, i.e., may
be exploited over a network without requiring user
credentials." [1]
"CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is 7.5. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle
Communications BRM - Elastic Charging Engine. Successful
attacks of this vulnerability can result in takeover of
Oracle Communications BRM - Elastic Charging Engine.
CVE-2018-2694
8.8
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Supported versions that are affected are Prior to 5.1.32 and
Prior to 5.2.6. Easily exploitable vulnerability allows low
privileged attacker with logon to the infrastructure where
Oracle VM VirtualBox executes to compromise Oracle VM
VirtualBox. While the vulnerability is in Oracle VM
VirtualBox, attacks may significantly impact additional
products. Successful attacks of this vulnerability can
result in takeover of Oracle VM VirtualBox.
CVE-2018-2698
8.8
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Supported versions that are affected are Prior to 5.1.32 and
Prior to 5.2.6. Easily exploitable vulnerability allows low
privileged attacker with logon to the infrastructure where
Oracle VM VirtualBox executes to compromise Oracle VM
VirtualBox. While the vulnerability is in Oracle VM
VirtualBox, attacks may significantly impact additional
products. Successful attacks of this vulnerability can
result in takeover of Oracle VM VirtualBox.
CVE-2018-2685
8.6
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Supported versions that are affected are Prior to 5.1.32 and
Prior to 5.2.6. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure
where Oracle VM VirtualBox executes to compromise Oracle VM
VirtualBox. Successful attacks require human interaction
from a person other than the attacker and while the
vulnerability is in Oracle VM VirtualBox, attacks may
significantly impact additional products. Successful attacks
of this vulnerability can result in takeover of Oracle VM
VirtualBox.
CVE-2018-2686
8.6
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Supported versions that are affected are Prior to 5.1.32 and
Prior to 5.2.6. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure
where Oracle VM VirtualBox executes to compromise Oracle VM
VirtualBox. Successful attacks require human interaction
from a person other than the attacker and while the
vulnerability is in Oracle VM VirtualBox, attacks may
significantly impact additional products. Successful attacks
of this vulnerability can result in takeover of Oracle VM
VirtualBox.
CVE-2018-2687
8.6
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Supported versions that are affected are Prior to 5.1.32 and
Prior to 5.2.6. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure
where Oracle VM VirtualBox executes to compromise Oracle VM
VirtualBox. Successful attacks require human interaction
from a person other than the attacker and while the
vulnerability is in Oracle VM VirtualBox, attacks may
significantly impact additional products. Successful attacks
of this vulnerability can result in takeover of Oracle VM
VirtualBox.
CVE-2018-2688
8.6
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Supported versions that are affected are Prior to 5.1.32 and
Prior to 5.2.6. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure
where Oracle VM VirtualBox executes to compromise Oracle VM
VirtualBox. Successful attacks require human interaction
from a person other than the attacker and while the
vulnerability is in Oracle VM VirtualBox, attacks may
significantly impact additional products. Successful attacks
of this vulnerability can result in takeover of Oracle VM
VirtualBox.
CVE-2018-2689
8.6
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Supported versions that are affected are Prior to 5.1.32 and
Prior to 5.2.6. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure
where Oracle VM VirtualBox executes to compromise Oracle VM
VirtualBox. Successful attacks require human interaction
from a person other than the attacker and while the
vulnerability is in Oracle VM VirtualBox, attacks may
significantly impact additional products. Successful attacks
of this vulnerability can result in takeover of Oracle VM
VirtualBox.
CVE-2018-2690
8.6
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Supported versions that are affected are Prior to 5.1.32 and
Prior to 5.2.6. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure
where Oracle VM VirtualBox executes to compromise Oracle VM
VirtualBox. Successful attacks require human interaction
from a person other than the attacker and while the
vulnerability is in Oracle VM VirtualBox, attacks may
significantly impact additional products. Successful attacks
of this vulnerability can result in takeover of Oracle VM
VirtualBox.
CVE-2018-2676
8.2
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Supported versions that are affected are Prior to 5.1.32 and
Prior to 5.2.6. Easily exploitable vulnerability allows high
privileged attacker with logon to the infrastructure where
Oracle VM VirtualBox executes to compromise Oracle VM
VirtualBox. While the vulnerability is in Oracle VM
VirtualBox, attacks may significantly impact additional
products. Successful attacks of this vulnerability can
result in takeover of Oracle VM VirtualBox.
CVE-2018-2693
8.2
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Supported versions that are affected are Prior to 5.1.32 and
Prior to 5.2.6. Easily exploitable vulnerability allows low
privileged attacker with logon to the infrastructure where
Oracle VM VirtualBox executes to compromise Oracle VM
VirtualBox. Successful attacks require human interaction
from a person other than the attacker and while the
vulnerability is in Oracle VM VirtualBox, attacks may
significantly impact additional products. Successful attacks
of this vulnerability can result in takeover of Oracle VM
VirtualBox.
CVE-2017-3736
5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
The supported version that is affected is 12.1.3. Difficult
to exploit vulnerability allows unauthenticated attacker
with network access via HTTPS to compromise Application
Server. Successful attacks of this vulnerability can result
in unauthorized access to critical data or complete access
to all Application Server accessible data.
CVE-2017-3736
5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
The supported version that is affected is 12.1.3. Difficult
to exploit vulnerability allows unauthenticated attacker
with network access via HTTPS to compromise Application
Server. Successful attacks of this vulnerability can result
in unauthorized access to critical data or complete access
to all Application Server accessible data.
CVE-2017-5715
5.6
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Supported versions that are affected are SW 1.x and SW 2.x.
Difficult to exploit vulnerability allows low privileged
attacker with logon to the infrastructure where Oracle X86
Servers executes to compromise Oracle X86 Servers. While
the vulnerability is in Oracle X86 Servers, attacks may
significantly impact additional products. Successful
attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all Oracle X86
Servers accessible data. Note: This includes Intel microcode
that enables OS and VM level mitigations for CVE-2017-5715.
Application of firmware patches to pick up the Intel
microcode is required only for Oracle x86 servers using non
Oracle OS and Virtualization software. Oracle OS and Oracle
VM patches for CVE-2017-5715 will include updated Intel
microcode." [2]
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle
strongly recommends that customers apply CPU fixes as soon
as possible. Until you apply the CPU fixes, it may be
possible to reduce the risk of successful attack by blocking
network protocols required by an attack. For attacks that
require certain privileges or access to certain packages,
removing the privileges or the ability to access the
packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may
break application functionality, so Oracle strongly
recommends that customers test changes on non-production
systems. Neither approach should be considered a long-term
solution as neither corrects the underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - January 2018
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
[2] Text Form of Oracle Critical Patch Update - January 2018 Risk
Matrices
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWl7vFYx+lLeg9Ub1AQhxJQ//RwM0YPNL5iuKwdqwXOBxDfAfJscdom3i
Lxmb874M+faQ7sZNTZ3KVxr1RRgF8NaZkpZRJxRgEKU8U/YJBII1e18T0fCLWV/q
+fTTd9MlIh8/Lnpe49HSHaeqzwk9kGBw1Nw+cXbgYL98iAy2PDYNioW9Que01Tj6
6drUij+8tX6gDH/CyJ2CM3+93sholUXl2t2QdH0o3oSbO/iEk4ntm5E4892Bb0rH
tI8ptIzuuGIJFZ4IeW0c8Hha/bxD2sRFSf7rKToG331615GbVurAK6noiP+ZKyAB
1b2yxXSnyh4RnBHfqOMKC4mb+TOXIA0M1yiedBhFszcTC7+yBpPfL5ejVN29vx0z
bhX8aPP2Ls4i36OIS/13v1vImcU4KZbAKrE8HyZfOXgVEJu3k7Otb8cgR71EyCWJ
j3j2uWhcEvDHDH/c8bpZG96lKK2bgUuswdhuL7bNMQM9igdSnLywe+Miv2LDiQ6N
2jYYmLhX/BOeYDHpReX7nNTDTAN5cEDmBJ20hih7Mwy9VawLyUpK+zmmK0bCS7ue
w20LrS3xtahS9bgStyfkQiDiho50+Mo6o7q7KVYOO6fHcSoiCWMhnL/+0WrPYdHg
XM5yix1LwBDzywxh3uQtUN0roUO+yCI/xzxVrDsuwYKEsAjcHyGvjGa9pGdwnq17
4MtbWtJuNvw=
=2rAa
-----END PGP SIGNATURE-----