Feeds

VMware vuln exposes the perils of virtualization

Container raider

Top three mobile application threats

Security researchers have discovered a bug in VMware desktop virtualization applications that allows attackers to take complete control of the underlying PC, including the execution or modification of files on the host operating system.

The vulnerability, which was unearthed by researchers from Core Security Technologies, is particularly important to individuals and companies working in the world of computer security. They frequently turn to VMware Player and Workstation as a means of protecting their machines when analyzing Trojans and other types of malware. In a nutshell, the vulnerability allows attackers to break out of the virtual environment and gain full access to the host computer system.

"This vulnerability provides an important wake-up call to security-concerned IT practitioners," Core researchers wrote. "It signals that virtualization is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments."

Core has released proof-of-concept code that allows customers to understand exactly how the bug works in real-world settings.

The exploit uses a specially crafted path name to access folders that are being shared between the host and virtual environments. VMware applications fail to validate the malicious parameters passed from the guest system to VMware's Shared Folders mechanism. The Shared Folders mechanism then hands off the bad data to the host system's file system, which allows the exploit complete access.

The bug is closely related to a vulnerability Core discovered last year that allowed unauthorized directory traversals on machines running VMware Workstation. VMware engineers responded by tightening the input validation, but according to Core, "the shared folder mechanism still provides complete access to the underlying file system of the Host system due to improper handling of strings with multi-byte encodings."

Over the past several years, desktop virtualization has become a popular method for dividing a PC's resources into separate environments that - in theory, at least - can't be altered by other environments. Researchers frequently use virtual machines to analyze how a piece of malware works. While the virtualized environment becomes infected, the host machine remains clean.

We've already heard of malware that attempts to thwart whitehat hackers by monitoring victim machines for VMware and refusing to run correctly if the virtualization software is detected. Core's discovery, which was announced Monday, means bad guys likely have other tricks up their sleeves. After all, if researchers can write an exploit that breaks into the underlying operating system, miscreants almost certainly have the same ability.

"What it shows is that anybody who is proposing virtualization as a widespread anti-malware technique is probably barking up the wrong tree," said Roger Thompson, who frequently uses virtualization when researching web exploits for Exploit Prevention Labs. "It means we've got to take extra steps to ensure the integrity of the sacrificial goat machines. I may have to stop running these things on my primary laptop."

Core's CTO Ivan Arce agrees. While his company still uses VMware, all malware running in company labs is installed on ad-hoc PCs that run on networks completely separated from the one used for corporate purposes.

The vulnerability "has a very practical effect on how we secure our virtual environments here," he said. "To us, this underlies the fact that having the virtualization technology isolated within an ad-hoc network is a good security practice to prevent potential outbreaks."

Arce said VMware has acknowledged the bug and is working on a fix. As a work-around in the meantime, users should disable the shared folders feature, which, according to the report, is turned on by default in VMware's Workstation, Player and ACE applications. If sharing can't be turned off, users should configure it for read-only access and implement file system monitoring. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.