Breach, Data Security, Incident Response, Malware, TDR, Vulnerability Management

Two vulnerabilities found in VMware virtualization products

Security researchers have uncovered a pair of vulnerabilities in VMware software, which is used to run multiple versions of an operating system on a single computer. One flaw affect a server version of the software, the other is found in desktop software.

At the recent Black Hat Security conference in Washington D.C., a researcher demonstrated that an attacker could take control of the VMware and Xen virtualization software when moving a virtual machine from one physical computer to another. 

The researcher, Jon Oberheide, a graduate student at the University of Michigan in Ann Arbor, released Xensploit, a tool that allows an attacker to take control of VM's hypervisor, a virtualization engine that permits multiple operating systems and applications to run on a host computer at the same time. The attacker could then download sensitive data from the live virtual machines (VMs). 

Data moves in clear-text format during a VM migration, permitting an attacker to perform a man-in-the-middle attack on a virtual machine's hypervisor that would allow stealing data in transit, Oberheide said.

Oberheide demonstrated his Xensploit tool manipulating the Secure Shell (SSH) network protocol's daemon-based authentication process, essentially granting the attacker administrative access to the VM. He reported that organizations with VM systems can bypass the problem by relying on manual authentication between the source and destination hypervisors during a migration. Alternatively, they can encrypt the data or use a separate physical network or virtual network to isolate the migrating VMs.

Meanwhile, engineers at Core Security on Friday issued an advisory disclosing a vulnerability that could severely impact organizations that use VMware's desktop virtualization software, VMware Player, Workstation and ACE. The engineers also released a proof-of-concept exploit for the vulnerability to allow testing and assessing the consequences of an attack on the VMware products.

The vulnerability could grant an attacker complete access to a host system, giving them the ability to create or modify executable files on the host operating system, Ivan Arce, Core Security's chief technology officer, told That could allow the attacker to take control of the "entire system, including the operating system files,” he said.

"What's most relevant about this vulnerability is it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them," Arce said. "This vulnerability provides a wake-up call to security-concerned IT practitioners . . . virtualization is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments."

According to Core Security, a malicious user or software running on a "guest" system within one of VMware's desktop software products can "break out of the isolated environment and gain full access to the host computer system." The company said it found the vulnerability while investigating a similar flaw in VMware Workstation disclosed by Greg McManus of iDefense Labs in March 2007.

CoreLabs researchers developing an exploit for that vulnerability realized that, if they used a specially crafted pathname to access a VMware shared folder, they could gain complete access to the host file system. In turn, that gave them the ability to create or modify executable files in what the company called "sensitive locations."

The vulnerability is exploitable only when shared folders are enabled (a default setting in the VMware desktop products) and at least one folder on the host system is configured for sharing, acccording to Core Security. The company recommends disabling shared folders in all installations of the vulnerable software.

Although Core Security has released proof-of-concept code and is working with VMware on the issue, Arce said, "As far as we know, nobody has exploited this in the wild."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.