CORE SECURITY TECHNOLOGIES DISCOVERS CRITICAL VULNERABILITY IN VMWARE´S DESKTOP VIRTUALIZATION

Exploitation Could Enable Complete Access to
Host File System

BOSTON, MA - February 25, 2008 - Core Security Technologies, provider of CORE IMPACT, the most comprehensive product for performing enterprise security assurance testing, today issued an advisory disclosing a vulnerability that could severely impact organizations relying on VMware’s  desktop virtualization software. This discovery demonstrates that thousands of companies with virtualized systems could unknowingly be exposing critical information assets that they otherwise sought to protect. Core Security today also released an exploit for this vulnerability, enabling customers to validate that it exists, prove that can be exploited, and safely assess the consequences of an actual network intrusion.

Engineers from CoreLabs, the research arm of Core Security, discovered that an attacker could gain complete access to a host system by exploiting this vulnerability in VMware’s desktop software products. The vulnerability could allow an attacker to create or modify executable files on the host operating system.

“What’s most relevant about this vulnerability is it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them,” said Iván Arce, CTO at Core Security Technologies. “Organizations often adopt virtualization technologies with the assumption that the isolation between the host and guest systems will improve their security posture. This vulnerability provides an important wake-up call to security-concerned IT practitioners. It is signals that virtualization is not immune to security flaws and that ‘real’ environments aren’t safe simply because they sit behind virtual environments.”

Vulnerability Details
CoreLabs discovered that a malicious user or software running on a Guest system within VMWare’s desktop software (VMware Player, Workstation and ACE) can break out of the isolated environment and gain full access to the Host computer system. The vulnerability was found while investigating a similar vulnerability in VMware Workstation disclosed by Greg McManus of IDefense Labs in March 2007 (CVE-2007-1744, VMware Workstation Shared Folders Directory Traversal Vulnerability).

CoreLabs researchers developing the exploit for CVE-2007-1744 realized that, by using a specially crafted PathName to access a VMware shared folder, it is possible to gain complete access to the Host’s file system. This includes, but is not limited to, creating or modifying executable files in sensitive locations. The vulnerability stems from improper validation of the PathName parameter passed by a potentially malicious program or user in the Guest system to VMware’s Shared Folders mechanism, which in turn passes it to the Host system’s file system.

Exploitation of path traversal vulnerabilities such as one found by CoreLabs, also commonly found in web server software and web applications, generally involve the specification of pathnames that include the “..” substring to escape out of folder access restriction. To prevent this type of attack, it is common to filter out the potentially malicious substring from input received from untrusted sources.

Vulnerable VMware products that implement the Shared Folders feature fail to properly sanitize malicious input in the PathName parameter. Although stricter input validation was implemented to fix the vulnerability disclosed previously (CVE-2007-1744), the shared folder mechanism still provides complete access to the underlying file system of the Host system due to improper handling of strings with multi-byte encodings.

The vulnerability affects VMware Workstation, Player and ACE software and it is only exploitable when Shared Folders are enabled (a default setting) and at least one folder on the Host system is configured for sharing. Organizations seeking an immediate workaround to mitigate risk should disable shared folders in all installations of the vulnerable software. If the Shared Folders feature cannot be fully disabled, configuring it to allow read-only access to the Host folder may still provide limited mitigation. However, because other exploitation scenarios may still exist, CoreLabs recommends that end users update to non-vulnerable versions of VMware Workstation, Player and ACE.

VMware has acknowledged this security problem and stated that will address the issue within the release schedule of the affected products. To protect against potential attacks in the meantime, Core Security recommends that users immediately take one of the following actions:

• Disable Shared Folders for all virtual machines that use the feature.
• If the Shared Folders feature is required, configure it for read-only access.
• If the Shared Folders feature is required, implement appropriate file system monitoring and access control mechanisms on the Host operating system.
• Upgrade your VMware software to a non-vulnerable version.

For more information on this vulnerability and the systems affected, please view the
CORE-2007-0930 Security Advisory, “Path Traversal Vulnerability in VMware's Shared Folders Implementation” at http://www.coresecurity.com/?action=item&id=2129.