Vulnerability CVE-2013-0420

Vulnerability Name:

CVE-2013-0420 (CCN-81309)

Assigned:

2012-12-07

Published:

2013-01-15

Updated:

2018-10-30

Summary:

Unspecified vulnerability in the VirtualBox component in Oracle Virtualization 4.0, 4.1, and 4.2 allows local users to affect integrity and availability via unknown vectors related to Core.
Note: The previous information was obtained from the January 2013 Oracle CPU. Oracle has not commented on claims from another vendor that this issue is related to an incorrect comparison in the vga_draw_text function in Devices/Graphics/DevVGA.cpp, which can cause VirtualBox to "draw more lines than necessary."

CVSS v3 Severity:

3.3 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

2.4 Low (CVSS v2 Vector: AV:L/AC:H/Au:S/C:N/I:P/A:P)
1.8 Low (Temporal CVSS v2 Vector: AV:L/AC:H/Au:S/C:N/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): High Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): Partial

2.4 Low (CCN CVSS v2 Vector: AV:L/AC:H/Au:S/C:N/I:P/A:P)
1.8 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:H/Au:S/C:N/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): High Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Unknown

References:

Source: MITRE
Type: CNA
CVE-2013-0420

Source: SUSE
Type: Vendor Advisory
openSUSE-SU-2013:0231

Source: CCN
Type: SA51893
Oracle VirtualBox Unspecified Privilege Escalation Vulnerability

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2013:150

Source: CCN
Type: Oracle Web site
Oracle Critical Patch Update Advisory - January 2013

Source: CONFIRM
Type: Vendor Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

Source: CCN
Type: BID-57383
Oracle VM VirtualBox CVE-2013-0420 Local Vulnerability

Source: CONFIRM
Type: Patch
https://bugzilla.novell.com/show_bug.cgi?id=798776

Source: XF
Type: UNKNOWN
oracle-cpujan2013-cve20130420(81309)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:15763

Source: MISC
Type: Exploit, Patch
https://www.virtualbox.org/changeset/44055/vbox

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-0420

Vulnerable Configuration:

Configuration 1:

cpe:/o:opensuse:opensuse:12.1:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:12.2:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:oracle:virtualization:4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:virtualization:4.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:virtualization:4.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:vm_virtualbox:4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:vm_virtualbox:4.1.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:vm_virtualbox:4.2.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:oracle:vm_virtualbox:4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:virtualization:4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:virtualization:4.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:virtualization:4.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:vm_virtualbox:4.1.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:vm_virtualbox:4.2.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:15763	V	Unspecified vulnerability in the VirtualBox component in Oracle Virtualization 4.0, 4.1, and 4.2	2014-02-17
oval:org.opensuse.security:def:20130420	V	CVE-2013-0420	2014-01-28
oval:com.ubuntu.precise:def:20130420000	V	CVE-2013-0420 on Ubuntu 12.04 LTS (precise) - medium.	2013-01-16
oval:com.ubuntu.trusty:def:20130420000	V	CVE-2013-0420 on Ubuntu 14.04 LTS (trusty) - medium.	2013-01-16

BACK