Critical VMware bug lets attackers zap 'real' Windows

by Gregg Keizer

February 25, 2008 —

A critical vulnerability in VMware
Inc.'s virtualization software for Windows lets attackers escape the "guest"
operating system and modify or add files to the underlying "host"
operating system, the company has acknowledged.

As of Sunday, there was no patch available for the flaw, which affects VMware's
Windows client virtualization programs, including Workstation, Player and ACE.
The company's virtual machine software for Windows servers and for Mac- and
Linux-based hosts are not at risk.

The bug was reported by
Core Security Technologies, makers of the penetration-testing framework
CORE IMPACT, said VMware in a security alert issued last Friday. "Exploitation
of this vulnerability allows attackers to break out of an isolated guest system
to compromise the underlying host system that controls it," claimed Core
Security.

According to VMware, the bug is in the shared-folder feature of its Windows
client-based virtualization software. Shared folders let users access certain
files -- typically documents and other application-generated files -- from the
host operating system and any virtual machine on that physical system.

"On Windows hosts, if you have configured a VMware host-to-guest shared
folder, it is possible for a program running in the guest to gain access to
the host's complete file system and create or modify executable files in sensitive
locations," confirmed VMware.

VMware has not posted a fix, but it instead told users to disable shared folders.

The Palo Alto, Calif.-based company also made it clear that the vulnerability
isn't present in its server line of virtual machine software; VMware Server
and ESX Server do not use shared folders. Newer versions of VMware's Windows
client virtualization tools also disable shared folders by default, the company
added. Users must manually turn on the feature to be vulnerable.

A similar bug was reported by VeriSign Inc.'s iDefense
Labs to VMware in March 2007. VMware patched it about a month later.

Friday's alert, however, was the second security-related notice posted by VMware
in two days. On Thursday, VMware patched its ESX Server line to quash five bugs
that could be used to slip past security restrictions, launch denial-of-service
attacks or compromise virtualized systems.

The increased reliance on virtual machines, particularly on enterprise servers,
has come with its own set of security problems, researchers and IT administrators
have noted previously. Sunday, an analyst at the SANS Institute's Internet
Storm Center (ISC) extended that warning to desktop virtualization users,
particularly security professionals.

"We make an extensive use of virtualization technologies for multiple
purposes: malware analysis, incident response, forensics, security testing,
training, etc., and we typically use the client versions of the products,"
said Raul Siles in a post to the ISC blog. "It is time to disable the shared-folder
capabilities."

Computerworld