Home > Virtualization, VMware > VMWare Hosted Virtualization Platform Vulnerability = Guest System Break-Out via Shared Folders…

VMWare Hosted Virtualization Platform Vulnerability = Guest System Break-Out via Shared Folders…

February 25th, 2008 Leave a comment Go to comments


There’s a little bit of serendipity floating about today and timing is everything.

Ed Skoudis (IntelGuardians) and I were chatting last week at ShmooCon regarding his previous research on VM guest escapes in hosted platforms and I raised a concern regarding my use of Parallel shared folders between my hosted XP installation and the underlying OSX host operating system.

I reckoned that this would be a very interesting vector for potential exploitation as it provides a direct pipeline to the underlying host OS and filesystem. 

While this bit of news isn’t about Parallels, it is about VMware’s comparable products (workstation, ACE, player, etc.) and it exploits the same vector.  From Computerworld:

February 24, 2008 (Computerworld)  A critical vulnerability in VMware Inc.’s virtualization software for Windows lets attackers escape the "guest" operating system and modify or add files to the underlying "host" OS, the company has acknowledged.

As of Sunday, there was no patch available for the flaw, which affects VMware’s Windows client virtualization programs, including Workstation, Player and ACE. The company’s virtual machine software for Windows servers, and for Mac- and Linux-based hosts, are not at risk.

The bug was reported by Core Security Technologies, makers of the penetration testing framework CORE IMPACT, said VMware in a security alert issued last Friday. "Exploitation of this vulnerability allows attackers to break out of an isolated Guest system to compromise the underlying Host system that controls it," claimed Core Security.

According to VMware, the bug is in the shared folder feature of its Windows client-based virtualization software. Shared folders lets users access certain files — typically documents and other application-generated files — from the host OS and any virtual machine on that physical system.

"On Windows hosts, if you have configured a VMware host-to-guest shared folder, it is possible for a program running in the guest to gain access to the host’s complete file system and create or modify executable files in sensitive locations," confirmed VMware.

There is currently no patch available.  The mitigation strategy is to disable shared folders.

It’s important to reiterate that this vulnerability does not affect VMware’s Type 1 (bare metal) virtualization platforms such as ESX.  However, on Friday, VMware released fixes for 5 vulnerabilities in ESX, some of which could be exploited to bypass security controls, gain access to data or result in denial of service.


{image from Anthony Martin Escapes}

UPDATE: Coverage of this is being hammed up quite a bit in the press to sound like it’s going to shake the very foundations of virtualization…not so much.  It’s an issue that is reasonably easy to address and represents what can be generally referred to as a relatively small attack surface.  Yes, it reinforces the need to think about VirtSec in the Type 2 (hosted) virtualization world, but as I said in the comments, it really depends upon how and why you’ve deployed client-side virtualization.

Categories: Virtualization, VMware Tags:
  1. February 25th, 2008 at 09:36 | #1

    Are you concerned enough about the shared folder issue to stop using them. I'm concerned too, but I haven't turned it off yet…

  2. February 25th, 2008 at 11:05 | #2

    I too use Parallels instead of VMWare on my Mac, though have a few PC's running VMWare Workstation. I've always assumed that using the shared folder feature would allow for a compromise from guest to host based on the nature of what it is doing. Maybe I am just paranoid, but I have always disabled the shared folders option and encourage others to do the same for those "testing" vm's.
    This does not make me more concerned about ESX security, though I hope it rattles enough cages to bring the issue to light more.

  3. colin
    February 25th, 2008 at 16:05 | #3

    This just makes sense – any access from the guest to the host provides a probable vector for modification of data on the host. It's not surprising that there is not a patch – if anything, host security would be the way to provide a mitigation.
    If there was to be a headline for this it would be "Enabling Shared Folders in VMWare *Workstation* is Dangerous".
    As there is no such vulnerability in ESX, it's more a case of "Nothing to See Here, Move Along".

  4. February 26th, 2008 at 00:39 | #4

    @colin and @rothman:
    You both interestingly raise an obvious but important point that underscores a larger issue; the age old parable of "security = 1/convenience"
    For me, shared folders are an absolute necessity; I use a Mac and my entire business operating environment runs in a VM (XP) under parallels.
    I create documents in both spaces and need to seamlessly share them across both "platforms." At least for me, my host OS is MacOS X and not Windows, and I'm using Parallels…
    At any rate, I feel almost guilty saying/agreeing with Colin…as currently the notion of security hosted virtualization platforms are thought of even less than those of bare metal systems…
    …unless, of course, you're the government using HAP. I wonder if that code base is also susceptible?

  1. No trackbacks yet.