Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

VMWare vulnerability could open the database doors to hackers.

Core Security Technologies : 26 February, 2008  (Technical Article)
Core Security discovers that desktop virtualisation software from VMware contains vulnerability that enables direct access to host data.
Core Security Technologies has issued an advisory disclosing a vulnerability that could severely impact organisations relying on VMware's desktop Virtualisation software. This discovery demonstrates that thousands of companies with virtualised systems could unknowingly be exposing critical information assets that they otherwise sought to protect. Core Security today also released an exploit for this vulnerability, enabling customers to validate that it exists, prove that it can be exploited, and safely assess the consequences of an actual network intrusion.

Engineers from CoreLabs, the research arm of Core Security, discovered that an attacker could gain complete access to a host system by exploiting this vulnerability in VMware's desktop software products. The vulnerability could allow an attacker to create or modify executable files on the host operating system.

"What's most relevant about this vulnerability is it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them," said Ivan Arce, CTO at Core Security Technologies. "Organizations often adopt Virtualisation technologies with the assumption that the isolation between the host and guest systems will improve their security posture. This vulnerability provides an important wake-up call to security-concerned IT practitioners. It is signals that Virtualisation is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments."

CoreLabs discovered that a malicious user or software running on a Guest system within VMWare's desktop software (VMware Player, Workstation and ACE) can break out of the isolated environment and gain full access to the Host computer system. The vulnerability was found while investigating a similar vulnerability in VMware Workstation disclosed by Greg McManus of IDefence Labs in March 2007 (CVE-2007-1744, VMware Workstation Shared Folders Directory Traversal Vulnerability).

CoreLabs researchers developing the exploit for CVE-2007-1744 realized that, by using a specially crafted PathName to access a VMware shared folder, it is possible to gain complete access to the Host's file system. This includes, but is not limited to, creating or modifying executable files in sensitive locations. The vulnerability stems from improper validation of the PathName parameter passed by a potentially malicious program or user in the Guest system to VMware's Shared Folders mechanism, which in turn passes it to the Host system's file system.

Exploitation of path traversal vulnerabilities such as one found by CoreLabs, also commonly found in web server software and web applications, generally involve the specification of pathnames that include the ".." substring to escape out of folder access restriction. To prevent this type of attack, it is common to filter out the potentially malicious substring from input received from untrusted sources.

Vulnerable VMware products that implement the Shared Folders feature fail to properly sanitize malicious input in the PathName parameter. Although stricter input validation was implemented to fix the vulnerability disclosed previously (CVE-2007-1744), the shared folder mechanism still provides complete access to the underlying file system of the Host system due to improper handling of strings with multi-byte encodings.

The vulnerability affects VMware Workstation, Player and ACE software and it is only exploitable when Shared Folders are enabled (a default setting) and at least one folder on the Host system is configured for sharing. Organizations seeking an immediate workaround to mitigate risk should disable shared folders in all installations of the vulnerable software. If the Shared Folders feature cannot be fully disabled, configuring it to allow read-only access to the Host folder may still provide limited mitigation. However, because other exploitation scenarios may still exist, CoreLabs recommends that end users update to non-vulnerable versions of VMware Workstation, Player and ACE.

VMware has acknowledged this security problem and stated that it will address the issue within the release schedule of the affected products. To protect against potential attacks in the meantime, Core Security recommends that users immediately take one of the following actions:.

* Disable Shared Folders for all virtual machines that use the feature.
* If the Shared Folders feature is required, configure it for read-only access.
* If the Shared Folders feature is required, implement appropriate file system monitoring and access control mechanisms on the Host operating system.
* Upgrade your VMware software to a non-vulnerable version.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo