Critical VMware Flaw Threatens Underlying System

Exploitation of the vulnerability allows attackers to break out of an isolated Guest system and potentially cause damage, researchers with Core Security Technologies suggest.
A flaw in VMware's desktop virtualization products for Windows could allow an attacker to escape the confines of the virtualized environment and access the host system.

Core Security Technologies discovered the problem and disclosed it on its Web site on Monday.

"A vulnerability was found in VMware's shared folders mechanism that grants users of a Guest system read and write access to any portion of the Host's file system including the system folder and other security-sensitive files. Exploitation of this vulnerability allows attackers to break out of an isolated Guest system to compromise the underlying Host system that controls it."

"What's most relevant about this vulnerability is it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them," said Ivan Arce, CTO at Core Security Technologies, in a statement. "Organizations often adopt virtualization technologies with the assumption that the isolation between the host and guest systems will improve their security posture. This vulnerability provides an important wake-up call to security-concerned IT practitioners. It is signals that virtualization is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments."

In order to successfully exploit the vulnerability, the Shaded Folder feature needs to be enabled and at least one folder on the host system needs to be set up for sharing. The Shared Folder feature is enabled by default.

VMware has issued a critical security advisory for users of its VMware Workstation, VMware Player, and VMware ACE products and the company advises disabling the Shared Folder feature. Linux and Mac OS X versions of VMware's software are not affected.

In a post on the Internet Storm Center blog, security researcher Raul Siles said that the impact of this vulnerability should be limited because many companies use server-based virtualization products rather than desktop virtualization software. However, he also observes that security professionals tend to use client versions of virtualization software extensively and that anyone doing so should disable the Shared Folder feature immediately.

Core Security claims that it notified VMware about the vulnerability on October 16, 2007. The company's account of its correspondence with VMware suggests that the virtualization company has been rather lackadaisical about fixing this critical Shared Folder flaw.

Editor's Choice
Cynthia Harvey, Freelance Journalist, InformationWeek
John Edwards, Technology Journalist & Author
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing