Feeds

VMware vuln exposes the perils of virtualization

Container raider

SANS - Survey on application security programs

Security researchers have discovered a bug in VMware desktop virtualization applications that allows attackers to take complete control of the underlying PC, including the execution or modification of files on the host operating system.

The vulnerability, which was unearthed by researchers from Core Security Technologies, is particularly important to individuals and companies working in the world of computer security. They frequently turn to VMware Player and Workstation as a means of protecting their machines when analyzing Trojans and other types of malware. In a nutshell, the vulnerability allows attackers to break out of the virtual environment and gain full access to the host computer system.

"This vulnerability provides an important wake-up call to security-concerned IT practitioners," Core researchers wrote. "It signals that virtualization is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments."

Core has released proof-of-concept code that allows customers to understand exactly how the bug works in real-world settings.

The exploit uses a specially crafted path name to access folders that are being shared between the host and virtual environments. VMware applications fail to validate the malicious parameters passed from the guest system to VMware's Shared Folders mechanism. The Shared Folders mechanism then hands off the bad data to the host system's file system, which allows the exploit complete access.

The bug is closely related to a vulnerability Core discovered last year that allowed unauthorized directory traversals on machines running VMware Workstation. VMware engineers responded by tightening the input validation, but according to Core, "the shared folder mechanism still provides complete access to the underlying file system of the Host system due to improper handling of strings with multi-byte encodings."

Over the past several years, desktop virtualization has become a popular method for dividing a PC's resources into separate environments that - in theory, at least - can't be altered by other environments. Researchers frequently use virtual machines to analyze how a piece of malware works. While the virtualized environment becomes infected, the host machine remains clean.

We've already heard of malware that attempts to thwart whitehat hackers by monitoring victim machines for VMware and refusing to run correctly if the virtualization software is detected. Core's discovery, which was announced Monday, means bad guys likely have other tricks up their sleeves. After all, if researchers can write an exploit that breaks into the underlying operating system, miscreants almost certainly have the same ability.

"What it shows is that anybody who is proposing virtualization as a widespread anti-malware technique is probably barking up the wrong tree," said Roger Thompson, who frequently uses virtualization when researching web exploits for Exploit Prevention Labs. "It means we've got to take extra steps to ensure the integrity of the sacrificial goat machines. I may have to stop running these things on my primary laptop."

Core's CTO Ivan Arce agrees. While his company still uses VMware, all malware running in company labs is installed on ad-hoc PCs that run on networks completely separated from the one used for corporate purposes.

The vulnerability "has a very practical effect on how we secure our virtual environments here," he said. "To us, this underlies the fact that having the virtualization technology isolated within an ad-hoc network is a good security practice to prevent potential outbreaks."

Arce said VMware has acknowledged the bug and is working on a fix. As a work-around in the meantime, users should disable the shared folders feature, which, according to the report, is turned on by default in VMware's Workstation, Player and ACE applications. If sharing can't be turned off, users should configure it for read-only access and implement file system monitoring. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.