Feeds

VMware vuln exposes the perils of virtualization

Container raider

The essential guide to IT transformation

Security researchers have discovered a bug in VMware desktop virtualization applications that allows attackers to take complete control of the underlying PC, including the execution or modification of files on the host operating system.

The vulnerability, which was unearthed by researchers from Core Security Technologies, is particularly important to individuals and companies working in the world of computer security. They frequently turn to VMware Player and Workstation as a means of protecting their machines when analyzing Trojans and other types of malware. In a nutshell, the vulnerability allows attackers to break out of the virtual environment and gain full access to the host computer system.

"This vulnerability provides an important wake-up call to security-concerned IT practitioners," Core researchers wrote. "It signals that virtualization is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments."

Core has released proof-of-concept code that allows customers to understand exactly how the bug works in real-world settings.

The exploit uses a specially crafted path name to access folders that are being shared between the host and virtual environments. VMware applications fail to validate the malicious parameters passed from the guest system to VMware's Shared Folders mechanism. The Shared Folders mechanism then hands off the bad data to the host system's file system, which allows the exploit complete access.

The bug is closely related to a vulnerability Core discovered last year that allowed unauthorized directory traversals on machines running VMware Workstation. VMware engineers responded by tightening the input validation, but according to Core, "the shared folder mechanism still provides complete access to the underlying file system of the Host system due to improper handling of strings with multi-byte encodings."

Over the past several years, desktop virtualization has become a popular method for dividing a PC's resources into separate environments that - in theory, at least - can't be altered by other environments. Researchers frequently use virtual machines to analyze how a piece of malware works. While the virtualized environment becomes infected, the host machine remains clean.

We've already heard of malware that attempts to thwart whitehat hackers by monitoring victim machines for VMware and refusing to run correctly if the virtualization software is detected. Core's discovery, which was announced Monday, means bad guys likely have other tricks up their sleeves. After all, if researchers can write an exploit that breaks into the underlying operating system, miscreants almost certainly have the same ability.

"What it shows is that anybody who is proposing virtualization as a widespread anti-malware technique is probably barking up the wrong tree," said Roger Thompson, who frequently uses virtualization when researching web exploits for Exploit Prevention Labs. "It means we've got to take extra steps to ensure the integrity of the sacrificial goat machines. I may have to stop running these things on my primary laptop."

Core's CTO Ivan Arce agrees. While his company still uses VMware, all malware running in company labs is installed on ad-hoc PCs that run on networks completely separated from the one used for corporate purposes.

The vulnerability "has a very practical effect on how we secure our virtual environments here," he said. "To us, this underlies the fact that having the virtualization technology isolated within an ad-hoc network is a good security practice to prevent potential outbreaks."

Arce said VMware has acknowledged the bug and is working on a fix. As a work-around in the meantime, users should disable the shared folders feature, which, according to the report, is turned on by default in VMware's Workstation, Player and ACE applications. If sharing can't be turned off, users should configure it for read-only access and implement file system monitoring. ®

Next gen security for virtualised datacentres

More from The Register

next story
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.