Exploit code released for critical VMware flaw

By Robert Westervelt, News Editor 25 Feb 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security researchers are releasing exploit code today to allow users of VMware's virtualization software to test a new file sharing flaw that could be used by attackers to gain access to a system.

Virtualization technology is simply software and there's no software that I know of that is immune to bugs. Ivan Arce, chief technology officer, Core Security Inc.

The flaw was discovered by Boston-based Core Security Inc. and it could be dangerous, allowing an attacker to gain complete access to a host system if enterprises enabled the file sharing feature. The issue affects all currently supported Windows-hosted versions of VMware Workstation, ACE, and Player.

VMware confirmed the flaw and issued a security alert to customers and plans to release an update to correct the flaw. In its alert, VMware said the issue does not affect VMware ESX Server or VMware Desktop Infrastructure products.

Core is releasing exploit code to its customers this week, said Ivan Arce, chief technology officer of Core. Arce said the flaw demonstrates the continued weaknesses inherent in virtualization software.

"There's a perception that virtualization technology provides additional security because it provides isolation from the real environment to the virtual environment," Arce said. "While that may be the case, there is also another argument to make, which is that virtualization technology is simply software and there's no software that I know of that is immune to bugs."

The vulnerability could allow an attacker to create or modify executable files on the host operating system, Arce said. Core is warning users to turn off the file sharing feature until VMware comes out with a fix.

"File sharing is a convenient feature to have, because it makes it easier to transfer files from one system to the other, but it's not the only way to transfer files," Arce said.

Virtualization risks: VMworld: Desktop virtualization drives security skepticism: Virtualization powerhouse VMware is using its conference to promote the merits of desktop virtualization, but some say the technology may prove to be a burden for enterprise security pros. Instant Gratification: BIOS-level virtualization: One company is driving virtualization down into the BIOS and believes its technology could make computing more secure. Preparing for virtualization security unknowns: Server virtualization technology is revolutionizing enterprise data centers, but nobody knows just how it will affect enterprise information security. Will using virtualization software put an enterprise at risk? A virtualized IT infrastructure can simplify operations and save a company money, but is such an environment secure?

By using a specially crafted PathName to access a VMware shared folder, attackers can exploit the flaw. Arce said researchers came across the discovery while testing an exploit for a Workstation Shared Folders Directory Traversal flaw in VMware Workstation disclosed by Greg McManus of IDefense Labs in March 2007.

VMware patched the previous flaw but left open a loophole for attackers. The vulnerability stems from improper validation of the PathName parameter passed by a potentially malicious program or user in the Guest system to VMware's Shared Folders mechanism, which in turn passes it to the Host system's file system, Arce said.

Despite more than two dozen vulnerabilities reported for VMware software over the last several years, the risk of a malicious attacker targeting virtual environments is low, said Pete Lindstrom, an analyst at Midvale, Utah-based Burton Group. Lindstrom said risk aligns itself with adoption and so far adoption is still low.

"I believe the risk associated with virtualization to be lower than the risk associated with your typical platforms," Lindstrom said. "Virtualization is not replacing anything—it feels like it does, but you've got to put an OS inside of that environment in order to get the software to run."

Tags: Virtualization Security Issues and Threats,  Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Virtualization Security Issues and Threats Virtual appliances boost flexibility, improve security Lack of cloud computing definition adds confusion, risk Three cloud computing risks to consider App service cloud could boost security, manageability Kodak CISO on virtualization, compliance Face-off: Assessing cloud computing risks Citrix virtual desktop, app delivery controller includes security benefits Who should secure virtual IT environments? Who should secure virtual IT environments? (Part 2) Trend Micro to acquire Third Brigade for virtualization, cloud security Emerging Information Security Threats Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Face-off: Who should be in charge of cybersecurity? Federal efforts to secure cyberinfrastrucure Adobe working on patch to correct new zero-day flaw

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary