Security Watch | Matt Hines » VMWare desktop vulnerability exposed

February 25, 2008 | Comments: (0)

VMWare desktop vulnerability exposed

TAGS: Security

As virtualization is taking off, so are the concerns of security researchers who point out that any vulnerabilities in the software used to underpin the technology could create serious problems for end users.

Case in point, researchers at automated pen testing specialists Core Security passed along an advisory on Monday warning of a newly-discovered flaw in VMWare's increasingly popular desktop virtualization software that the company contends could lead to serious attacks by insiders.

According to the report issued by the firm's CoreLabs group, someone logged onto a guest system running on VMWare's VMware Player, Workstation and ACE products could potentially break out of their walled environment and gain access to the host computer system within which they are operating.

Once exploited, the issue could then allow attackers to create or modify executable files on the host operating system, according to the advisory.

Core researchers said that they found the vulnerability -- which VMWare has already been made aware of -- while looking into a previously-disclosed security issue reported by iDefense Labs in March 2007.

Through the use of a specially-crafted PathName to access a VMware shared folder, Core said, it could be possible to subvert the entire host system running the affected VMWare products, including the ability to create or modifying executable files in sensitive locations.

The company contends that the flaw results from "improper validation of the PathName parameter passed by a potentially malicious program or user in the Guest system to VMware's Shared Folders mechanism," which it said in turn can transfer into the host machine's file system.

"What's most relevant about this vulnerability is it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them," Iván Arce, Core's CTO, said in a research note.

"Organizations often adopt virtualization technologies with the assumption that the isolation between the host and guest systems will improve their security posture," Arce said. "This vulnerability provides an important wake-up call that virtualization is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments."

Core reported further that nature of the reported VMWare flaw, which it tabbed as "a path traversal vulnerability" could be found in many other types of Web server software and applications, and that it involves the specification of pathnames that include the ".." substring to escape out of folder access restriction.

"To prevent this type of attack, it is common to filter out the potentially malicious substring from input received from un-trusted sources," Core said.

Researchers said that affected VMware products that utilize the shared folders feature cannot effectively "sanitize" malicious input in the PathName parameter.

"Although stricter input validation was implemented to fix the vulnerability disclosed previously, the shared folder mechanism still provides complete access to the underlying file system of the Host system due to improper handling of strings with multi-byte encodings," the advisory said.

The vulnerability is only exposed to attack when the shared folders feature is turned on (although it is allowed by default) and at least one folder on the host system is tuned for sharing.

The company advised that customers looking for a workaround to lower their risk should merely disable shared folders in all installations of the vulnerable software. If that is not an alternative, configuring shared folders to allow read-only access to the host folder may also help.

For its part, VMWare said that it will address the vulnerability within the normal update release schedule of the affected products.

In the meantime the company advised customers to disable shared folders for all virtual machines that use the feature, configure the system for read-only access, or implement appropriate file system monitoring and access control mechanisms on the host operating system until they can upgrade to unaffected versions of the products.

Posted by Matt Hines on February 25, 2008 02:26 PM

RATE THIS ARTICLE: