Feeds

VMware vuln exposes the perils of virtualization

Container raider

Choosing a cloud hosting partner with confidence

Security researchers have discovered a bug in VMware desktop virtualization applications that allows attackers to take complete control of the underlying PC, including the execution or modification of files on the host operating system.

The vulnerability, which was unearthed by researchers from Core Security Technologies, is particularly important to individuals and companies working in the world of computer security. They frequently turn to VMware Player and Workstation as a means of protecting their machines when analyzing Trojans and other types of malware. In a nutshell, the vulnerability allows attackers to break out of the virtual environment and gain full access to the host computer system.

"This vulnerability provides an important wake-up call to security-concerned IT practitioners," Core researchers wrote. "It signals that virtualization is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments."

Core has released proof-of-concept code that allows customers to understand exactly how the bug works in real-world settings.

The exploit uses a specially crafted path name to access folders that are being shared between the host and virtual environments. VMware applications fail to validate the malicious parameters passed from the guest system to VMware's Shared Folders mechanism. The Shared Folders mechanism then hands off the bad data to the host system's file system, which allows the exploit complete access.

The bug is closely related to a vulnerability Core discovered last year that allowed unauthorized directory traversals on machines running VMware Workstation. VMware engineers responded by tightening the input validation, but according to Core, "the shared folder mechanism still provides complete access to the underlying file system of the Host system due to improper handling of strings with multi-byte encodings."

Over the past several years, desktop virtualization has become a popular method for dividing a PC's resources into separate environments that - in theory, at least - can't be altered by other environments. Researchers frequently use virtual machines to analyze how a piece of malware works. While the virtualized environment becomes infected, the host machine remains clean.

We've already heard of malware that attempts to thwart whitehat hackers by monitoring victim machines for VMware and refusing to run correctly if the virtualization software is detected. Core's discovery, which was announced Monday, means bad guys likely have other tricks up their sleeves. After all, if researchers can write an exploit that breaks into the underlying operating system, miscreants almost certainly have the same ability.

"What it shows is that anybody who is proposing virtualization as a widespread anti-malware technique is probably barking up the wrong tree," said Roger Thompson, who frequently uses virtualization when researching web exploits for Exploit Prevention Labs. "It means we've got to take extra steps to ensure the integrity of the sacrificial goat machines. I may have to stop running these things on my primary laptop."

Core's CTO Ivan Arce agrees. While his company still uses VMware, all malware running in company labs is installed on ad-hoc PCs that run on networks completely separated from the one used for corporate purposes.

The vulnerability "has a very practical effect on how we secure our virtual environments here," he said. "To us, this underlies the fact that having the virtualization technology isolated within an ad-hoc network is a good security practice to prevent potential outbreaks."

Arce said VMware has acknowledged the bug and is working on a fix. As a work-around in the meantime, users should disable the shared folders feature, which, according to the report, is turned on by default in VMware's Workstation, Player and ACE applications. If sharing can't be turned off, users should configure it for read-only access and implement file system monitoring. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.