Cybersecurity specialists report finding at least 20 critical flaws in VM VirtualBox, a popular virtualization software for x86/amd64 architectures developed by technology company Oracle. According to the report, the strenuous exploitation of reported flaws would allow the deployment of denial of service (DoS) attacks and access to sensitive information, among other risk scenarios.
Below is a rundown of the reported flaws, including their CVE tracking keys and ratings according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-2312: Incorrect input validation within the Core component in Oracle VM VirtualBox would allow local users to exploit this flaw to perform a DoS attack.
Vulnerability received CVSS score of 3.9/10
CVE-2021-2291: Incorrect input validation within the Core component in Oracle VM VirtualBox would allow local authenticated users to exploit this vulnerability to access sensitive information.
The flaw received a score of 4.2/10.
CVE-2021-2297: Incorrect input validation within the Core component in Oracle VM VirtualBox would allow local privileged users to exploit this vulnerability to access sensitive information.
The vulnerability received a CVSS score of 4.6/10.
CVE-2021-2296: Incorrect input validation within the Core component in Oracle VM VirtualBox would allow privileged users to exploit the error to access sensitive information.
This vulnerability received a score of 4.6/10.
CVE-2021-2266: The vulnerability exists due to incorrect input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to access sensitive information.
This flaw received a CVSS score of 5.2/10.
CVE-2021-2266: Incorrect input validation within the Core component in Oracle VM VirtualBox would allow local privileged users to access sensitive information.
The vulnerability received a score of 5.2/10.
CVE-2021-2287: Incorrect input validation within the Core component in Oracle VM VirtualBox would allow unauthenticated local threat actors to access sensitive information.
This vulnerability received a score of 6.2/10.
CVE-2021-2286: Incorrect input validation within the Core component in Oracle VM VirtualBox allows unauthenticated local users to read and manipulate sensitive data.
The vulnerability received a score of 6.2/10 on the CVSS scale.
CVE-2021-2285: Incorrect input validation within the Core component in Oracle VM VirtualBox would allow unauthenticated local threat actors to exploit the flaw to access sensitive information.
This flaw received a CVSS score of 6.2/10.
CVE-2021-2284: Incorrect input validation within the Core component in Oracle VM VirtualBox would allow unauthenticated local threat actors to access and manipulate sensitive information on the target system.
The vulnerability received a CVSS score of 6.2/10.
Many of the flaws require remote access for successful exploitation, reducing the risk of attack. In addition, cybersecurity experts claim that so far no attempts to active exploit or the existence of a malware variant associated with the attack have been detected.
Security patches for these flaws are now available, so Oracle recommends that users of affected deployments update as soon as possible. The full list of reported flaws is available on the company’s official platforms. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.