VMware security bug exposed on eve of VMworld

Security vendor Core Security Technologies claims VMware has failed to fix a severe bug in its virtualisation software
Written by Peter Judge, Contributor

VMware has failed to fix a severe bug in its virtualisation software, which can expose users' critical information, according to security vendor Core Security Technologies, which is releasing software that demonstrates the problem.

The announcement shows that virtualisation software is just as vulnerable as any other software, according to Core, and comes in the week of the vendor's VMworld event in Cannes, where VMware is expected to announce an important security initiative in partnership with other major companies.

Core has released proof-of-concept exploit software, which it says demonstrates a serious flaw in VMware's desktop virtualisation software that could give hackers control of virtualised systems, and which it claims VMware has been aware of for four months.

The security vendor is releasing the exploit in the week of the VMworld event in the hope that publicity will force VMware to take action, and to make users aware of the problem and enable them to "safely assess the consequences of an actual network intrusion", and apply a simple workaround to avoid the problem.

The vulnerability could allow an attacker to create or modify executable files on the host operating system, through weaknesses in VMware's shared folders feature. Hackers can use a specially crafted PathName to access a VMware shared folder, because VMware does not properly validate PathNames, according to Iván Arce, chief technology officer at Core.

The demonstration reveals that virtualisation environments are no safer than any other software environment, according to Arce: "Organisations often adopt virtualisation technologies with the assumption that the isolation between the host and guest systems will improve their security posture. This vulnerability provides an important wake-up call to security-concerned IT practitioners. It signals that virtualisation is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments."

CoreLabs staff found the vulnerability in October, while investigating a similar vulnerability in VMware Workstation disclosed by Greg McManus of IDefense Labs in March 2007. "Since October we have been exchanging emails with the VMware security team," said Arce. "The fix was supposed to be released in December, then January, then February. The workaround is simple and easy, so rather than continue to wait, we felt we should inform the users, and rhen wait for an official response."

To avoid the flaw, users have to disable shared folders and use alternative methods to share files, said Arce: "If they need to transfer files, there are other ways to do this. It shouldn't be too difficult." If they need shared folders, it is safe to configure it for read-only access and/or use file system monitoring on the host operating system.

Shared folders is turned on by default, so most VMware users could be vulnerable, according to Core. Despite VMware's delays, Arce believes the company is on the right track: "This is the first time we have dealt with VMware, and I think they do have the right skill set in terms of security," he told ZDnet. "I think they could improve their processes, but compared to other vendors they are not the worst or the best. Virtualisation is no more secure than any other software."

"Path traversal vulnerabilities" like this, also found in web server software and web applications, generally involve the specification of pathnames that include the ".." substring to escape out of folder access restriction. To prevent this type of attack, it is common to filter out the potentially malicious substring from input received from untrusted sources, according to Core's release.

VMware is preparing its own security initiative, called VMsafe, to be launched at VMworld, according to reports by Reuters, in which unnamed sources say the company is working with Symantec, McAfee, IBM's ISS division, Check Point and the RSA security unit of VMware parent EMC.

VMware did not respond to requests for information by press time.

Editorial standards