Subject: [ASA-202107-52] virtualbox: multiple issues

Arch Linux Security Advisory ASA-202107-52
==========================================

Severity: High
Date    : 2021-07-21
CVE-ID  : CVE-2021-2409 CVE-2021-2442 CVE-2021-2443 CVE-2021-2454
Package : virtualbox
Type    : multiple issues
Remote  : No
Link    : https://security.archlinux.org/AVG-2187

Summary
=======

The package virtualbox before version 6.1.24-1 is vulnerable to
multiple issues including information disclosure, sandbox escape and
denial of service.

Resolution
==========

Upgrade to 6.1.24-1.

# pacman -Syu "virtualbox>=6.1.24-1"

The problems have been fixed upstream in version 6.1.24.

Workaround
==========

None.

Description
===========

- CVE-2021-2409 (sandbox escape)

A security issue has been found in Oracle VM VirtualBox before version
6.1.24. An easily exploitable vulnerability allows a high privileged
attacker with logon to the infrastructure where Oracle VM VirtualBox
executes to compromise Oracle VM VirtualBox. Successful attacks of this
vulnerability can result in a takeover of Oracle VM VirtualBox.

- CVE-2021-2442 (denial of service)

A security issue has been found in Oracle VM VirtualBox before version
6.1.24. An easily exploitable vulnerability allows a high privileged
attacker with logon to the infrastructure where Oracle VM VirtualBox
executes to compromise Oracle VM VirtualBox. Successful attacks of this
vulnerability can result in the unauthorized ability to cause a hang or
frequently repeatable crash (complete denial of service) of Oracle VM
VirtualBox.

- CVE-2021-2443 (information disclosure)

A security issue has been found in Oracle VM VirtualBox before version
6.1.24. An easily exploitable vulnerability allows a high privileged
attacker with logon to the infrastructure where Oracle VM VirtualBox
executes to compromise Oracle VM VirtualBox. Successful attacks of this
vulnerability can result in the unauthorized ability to cause a hang or
frequently repeatable crash (complete denial of service) of Oracle VM
VirtualBox as well as unauthorized update, insert or delete access to
some of Oracle VM VirtualBox accessible data and unauthorized read
access to a subset of Oracle VM VirtualBox accessible data.

- CVE-2021-2454 (sandbox escape)

A security issue has been found in Oracle VM VirtualBox before version
6.1.24. A difficult to exploit vulnerability allows a low privileged
attacker with logon to the infrastructure where Oracle VM VirtualBox
executes to compromise Oracle VM VirtualBox. Successful attacks of this
vulnerability can result in a takeover of Oracle VM VirtualBox.

Impact
======

A malicious virtual machine guest could escape its confinement to run
arbitrary code on the host system, disclose or modify sensitive
information, or crash VirtualBox.

References
==========

https://www.oracle.com/security-alerts/cpujul2021verbose.html#OVIR
https://security.archlinux.org/CVE-2021-2409
https://security.archlinux.org/CVE-2021-2442
https://security.archlinux.org/CVE-2021-2443
https://security.archlinux.org/CVE-2021-2454