VMware hypervisor escape via serial port? VMware hypervisor escape via serial port.
Virtzilla patches desktop host code-execution bugs
VMware has advised of two security flaws that impact its desktop products.
VMware's desktop hypervisors Workstation and Fusion, plus the Player app that runs pre-packaged virtual machines, all have “an input validation issue on an RPC command” that could allow a denial-of-service of the guest operating System (32-bit) or a denial-of-service of the host operating system (64-bit).
Peter Kamensky from Digital Security gets the credit for spotting those flaws.
Workstation and the Horizon Client used for desktop virtualisation and application delivery have “memory manipulation issues” in the TPView.dll and TPInt.dll libraries upon which each relies. And by memory manipulation issues, Vmware means executing code on the host operating system – a classic hypervisor escape. Which is bad.
“On Workstation, this may allow a guest to execute code or perform a denial of service on the Windows OS that runs Workstation,” the company says. “In the case of a Horizon Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon Client.”
Kostya Kortchinsky of the Google Security Team gets the gold star for finding those flaws. All the techie details behind Kortchinsky's bugs can be found here – they are triggered by sending malicious data down the COM1 serial port to the aforementioned vulnerable .dll files.
Here's a video showing the vulnerabilities being exploited:
The good news is that the fixes are in: upgrading to the newest version of the products mentioned above, many of which have a new release to address the flaws, should knock the bugs on the head.
VMware's instructions about what to do can be found here.
Workstation, Fusion and Player aren't exactly VMwre's crown jewels, so while it's never good to have insecure products, these flaws won't give users a reason to worry about their core virtualised infrastructure. The Horizon hole is more worrying, but with ESX and vSphere untouched, this isn't a major breakout. VMware can also point to a good track record on security, as it posts and repairs rather fewer flaws than the likes of Microsoft or Oracle. ®