VMware vulnerability allows users to escape virtual environment
- By Joab Jackson
- Feb 28, 2008
A new vulnerability found in some VMware products allows users to escape their virtual environments and muck about in the host operating system, penetration testing software firm Core Security Technologies announced
earlier this week.
This vulnerability (CVE Name: CVE-2008-0923) could poise significant risks to enterprise users who are deploying VMware software as a secured environment.
'What's most relevant about this vulnerability is it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them,' said Iv'n Arce, chief technology officer at Core Security, in a statement. 'Organizations often adopt virtualization technologies with the assumption that the isolation between the host and guest systems will improve their security posture. This vulnerability provides an important wake-up call to security-concerned IT practitioners. It signals that virtualization is not immune to security flaws.'
The vulnerability, called a path traversal, involves the manipulation of VMware shared folders that are used to transfer data between the guest virtualized system and the host system. A user in a virtual environment could type in a path name that would provide entry into the host system, with full read and write privileges.
According to Core researchers, the VMware software does not adequately check the user input of the path names, allowing malicious parties to enter the commonly used '..' substring to access parent folders and thereby escape folder access restrictions.
The Shared Folders feature must be enabled in order for the vulnerability to work, though, as Core Security points out, this is the default setting for VMware products. The company provides sample exploitation code on its site.
Older versions of VMware Workstation, VMware Player and VMware Ace all have this vulnerability. Versions of VMware ESX, VMware Server and VMware Fusion are not affected. Linux VMware products are not affected.
Core Security said VMware was first advised of this vulnerability last October. The company indicated it would fix the problem by December, but has not done so.
VMware currently recommends
disabling the shared folders feature. Core Security advises that if shared folders must be used, enable them as read-only on the host system.
Joab Jackson is the senior technology editor for Government Computer News.