Oracle VM VirtualBox up to 5.2.43/6.0.23/6.1.11 Core integer underflow

Summaryinfo

A vulnerability was found in Oracle VM VirtualBox up to 5.2.43/6.0.23/6.1.11. It has been declared as critical. Affected by this issue is some unknown functionality of the component Core. Executing a manipulation can lead to Local Privilege Escalation. This vulnerability is registered as CVE-2020-14699. The attack needs to be launched locally. No exploit is available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability classified as critical was found in Oracle VM VirtualBox up to 5.2.43/6.0.23/6.1.11 (Virtualization Software). This vulnerability affects some unknown processing of the component Core. The manipulation with an unknown input leads to a local privilege escalation vulnerability. The CWE definition for the vulnerability is CWE-191. The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.44, prior to 6.0.24 and prior to 6.1.12. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

The weakness was published 07/15/2020 as Oracle Critical Patch Update Advisory - July 2020 as confirmed advisory (Website). The advisory is shared for download at oracle.com. This vulnerability was named CVE-2020-14699. The exploitation appears to be difficult. The attack needs to be approached locally. The exploitation requires an enhanced level of successful authentication. There are neither technical details nor an exploit publicly available.

Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Similar entries are available at VDB-158073, VDB-158074, VDB-158075 and VDB-158076. Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Virtualization Software

Vendor

• Oracle

Name

• VM VirtualBox

Version

• 5.2.0
• 5.2.1
• 5.2.2
• 5.2.3
• 5.2.4
• 5.2.5
• 5.2.6
• 5.2.7
• 5.2.8
• 5.2.9
• 5.2.10
• 5.2.11
• 5.2.12
• 5.2.13
• 5.2.14
• 5.2.15
• 5.2.16
• 5.2.17
• 5.2.18
• 5.2.19
• 5.2.20
• 5.2.21
• 5.2.22
• 5.2.23
• 5.2.24
• 5.2.25
• 5.2.26
• 5.2.27
• 5.2.28
• 5.2.29
• 5.2.30
• 5.2.31
• 5.2.32
• 5.2.33
• 5.2.34
• 5.2.35
• 5.2.36
• 5.2.37
• 5.2.38
• 5.2.39
• 5.2.40
• 5.2.41
• 5.2.42
• 5.2.43
• 6.0.0
• 6.0.1
• 6.0.2
• 6.0.3
• 6.0.4
• 6.0.5
• 6.0.6
• 6.0.7
• 6.0.8
• 6.0.9
• 6.0.10
• 6.0.11
• 6.0.12
• 6.0.13
• 6.0.14
• 6.0.15
• 6.0.16
• 6.0.17
• 6.0.18
• 6.0.19
• 6.0.20
• 6.0.21
• 6.0.22
• 6.0.23
• 6.1.0
• 6.1.1
• 6.1.2
• 6.1.3
• 6.1.4
• 6.1.5
• 6.1.6
• 6.1.7
• 6.1.8
• 6.1.9
• 6.1.10
• 6.1.11

License

• open-source (GNU GPLv3)

Website

• Vendor: https://www.oracle.com

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion