Critical VMware bug lets attackers zap 'real' Windows
No patch yet for shared-folders flaw
Computerworld - A critical vulnerability in VMware Inc.'s virtualization software for Windows lets attackers escape the "guest" operating system and modify or add files to the underlying "host" operating system, the company has acknowledged.
As of Sunday, there was no patch available for the flaw, which affects VMware's Windows client virtualization programs, including Workstation, Player and ACE. The company's virtual machine software for Windows servers and for Mac- and Linux-based hosts are not at risk.
The bug was reported by Core Security Technologies, makers of the penetration-testing framework CORE IMPACT, said VMware in a security alert issued last Friday. "Exploitation of this vulnerability allows attackers to break out of an isolated guest system to compromise the underlying host system that controls it," claimed Core Security.
According to VMware, the bug is in the shared-folder feature of its Windows client-based virtualization software. Shared folders let users access certain files -- typically documents and other application-generated files -- from the host operating system and any virtual machine on that physical system.
"On Windows hosts, if you have configured a VMware host-to-guest shared folder, it is possible for a program running in the guest to gain access to the host's complete file system and create or modify executable files in sensitive locations," confirmed VMware.
VMware has not posted a fix, but it instead told users to disable shared folders.
The Palo Alto, Calif.-based company also made it clear that the vulnerability isn't present in its server line of virtual machine software; VMware Server and ESX Server do not use shared folders. Newer versions of VMware's Windows client virtualization tools also disable shared folders by default, the company added. Users must manually turn on the feature to be vulnerable.
A similar bug was reported by VeriSign Inc.'s iDefense Labs to VMware in March 2007. VMware patched it about a month later.
Friday's alert, however, was the second security-related notice posted by VMware in two days. On Thursday, VMware patched its ESX Server line to quash five bugs that could be used to slip past security restrictions, launch denial-of-service attacks or compromise virtualized systems.
The increased reliance on virtual machines, particularly on enterprise servers, has come with its own set of security problems, researchers and IT administrators have noted previously. Sunday, an analyst at the SANS Institute's Internet Storm Center (ISC) extended that warning to desktop virtualization users, particularly security professionals.
"We make an extensive use of virtualization technologies for multiple purposes: malware analysis, incident response, forensics, security testing, training, etc., and we typically use the client versions of the products," said Raul Siles in a post to the ISC blog. "It is time to disable the shared-folder capabilities."
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts