The folks at VMware have been in the news quite a bit of late, thanks to their big IPO and their discreet acquisition of Determina a couple of weeks ago. Now, the company’s core virtualization product is getting some attention, but not the kind company executives will like. Mark Burnett, an independent security consultant and author, recently posted a long description of a vulnerability in VMware’s scripting automation API that he found.
The vulnerability comes down to this: The API allows any script on the host machine to execute code and take other actions on any virtual machine that’s running on the PC, without requiring any credentials on the guest operating system. This presents a number of problems, as Burnett points out:
The problem is that a malicious script running within the context of a regular user on my desktop can run administrator-level scripts on any guest I am currently logged in to. Using Ctrl+Alt+Del to lock the desktop of those machines does not prevent VIX from executing commands on the guest. Even if I log out of each guest machine the malware can just queue the command to run the next time I log in at the console of the guest OS.
However, this is in fact a feature that the VMware developers intentionally included. VMware told Burnett that, in essence, anyone who can access the virtual machine APIs on a machine can access the virtual hard disks anyway and would be able to attack the PC from that direction. But it seems to me that Burnett is on to something here. Sure, there are plenty of other methods for attacking virtual machines, but that doesn’t mean this should be ignored.
Burnett also has found a way to mitigate the problem by adding a switch to the VMX config file.