Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Critical VMware security alert for Windows-hosted VMware client versions InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Critical VMware security alert for Windows-hosted VMware client versions

Published: 2008-02-24
Last Updated: 2008-02-26 02:29:41 UTC
by Raul Siles (Version: 3)
0 comment(s)

During the last couple of years intensive security research has been performed on virtualization environments, like VMware, Virtual PC, XEN etc. It has been mainly focused on finding new ways to detect if you are running inside a virtual machine (vs. a native host), and finding ways to escape from a virtual machine to the host (or to another virtual machine).

This new VMware vulnerability discovered by Core means a full scape from the guest virtual machine to the host is possible: "On Windows hosts, if you have configured a VMware host-to-guest shared folder, it is possible for a program running in the guest to gain access to the host's complete file system and create or modify executable files in sensitive locations."

It has been rated as critical by VMware and it affects all VMware client products on Windows, that is:

  • VMware Workstation 6.0.2 and earlier, AND 5.5.4 and earlier
  • VMware Player 2.0.2 and earlier, AND 1.0.4 and earlier
  • VMware ACE 2.0.2 and earlier, AND 1.0.2 and earlier

VMware on Mac OS (Fusion) and Linux are not affected by it.

By default, the shared folders feature is disabled in Workstation 6, Player 2, and ACE 2. Workstation 5, Player 1, and ACE 1 enable the shared folders feature by default, but exploiting this vulnerability still requires at least one folder to be configured as shared between the host and guest.

The impact on production environments is supposed to be limited as they tend to use the server versions. However, we, as security professionals, make an extensive use of virtualization technologies for multiple purposes: malware analysis, incident response, forensics, security testing, training, etc, and we typically use the client  versions of the products, so... It is  time to disable the shared folder capabilities!!, as no update or patch is available yet:

Workaround (from the VMware advisory)

Until VMware releases a patch to fix this issue, users of affected Windows-hosted VMware products should disable shared folders.

To disable shared folders in the Global settings:
  1. From the VMware product's menu, choose Edit > Preferences.
  2. In the Workspace tab, under Virtual Machines, deselect the checkbox for Enable all shared folders by default.
To disable shared folders for the individual virtual machine settings:
  1. From the VMware product's menu, choose VM > Settings.
  2. In the Options tab, select Shared Folders and Disable.

 UPDATE 1:
Although the VMware alert mentions VMware Workstation 5.5.4 (or earlier),  ACE 1.0.2 (or earlier) and Player 1.0.4 (or earlier), the latest versions available are VMware Workstation 5.5.5, ACE 1.0.4 and Player 1.0.5. We have confirmed with VMware that all versions of Workstation, ACE and Player are affected.  They will release a fix ASAP. Thanks for the prompt confirmation!

 

Keywords:
0 comment(s)
Diary Archives