Security researchers are releasing exploit code today to allow users of VMware's virtualization software to test...
a new file sharing flaw that could be used by attackers to gain access to a system.
The flaw was discovered by Boston-based Core Security Inc. and it could be dangerous, allowing an attacker to gain complete access to a host system if enterprises enabled the file sharing feature. The issue affects all currently supported Windows-hosted versions of VMware Workstation, ACE, and Player.
VMware confirmed the flaw and issued a security alert to customers and plans to release an update to correct the flaw. In its alert, VMware said the issue does not affect VMware ESX Server or VMware Desktop Infrastructure products.
Core is releasing exploit code to its customers this week, said Ivan Arce, chief technology officer of Core. Arce said the flaw demonstrates the continued weaknesses inherent in virtualization software.
"There's a perception that virtualization technology provides additional security because it provides isolation from the real environment to the virtual environment," Arce said. "While that may be the case, there is also another argument to make, which is that virtualization technology is simply software and there's no software that I know of that is immune to bugs."
The vulnerability could allow an attacker to create or modify executable files on the host operating system, Arce said. Core is warning users to turn off the file sharing feature until VMware comes out with a fix.
"File sharing is a convenient feature to have, because it makes it easier to transfer files from one system to the other, but it's not the only way to transfer files," Arce said.
By using a specially crafted PathName to access a VMware shared folder, attackers can exploit the flaw. Arce said researchers came across the discovery while testing an exploit for a Workstation Shared Folders Directory Traversal flaw in VMware Workstation disclosed by Greg McManus of IDefense Labs in March 2007.
VMware patched the previous flaw but left open a loophole for attackers. The vulnerability stems from improper validation of the PathName parameter passed by a potentially malicious program or user in the Guest system to VMware's Shared Folders mechanism, which in turn passes it to the Host system's file system, Arce said.
Despite more than two dozen vulnerabilities reported for VMware software over the last several years, the risk of a malicious attacker targeting virtual environments is low, said Pete Lindstrom, an analyst at Midvale, Utah-based Burton Group. Lindstrom said risk aligns itself with adoption and so far adoption is still low.
"I believe the risk associated with virtualization to be lower than the risk associated with your typical platforms," Lindstrom said. "Virtualization is not replacing anything—it feels like it does, but you've got to put an OS inside of that environment in order to get the software to run."