Hosting Provided By

Re: VMWare poor guest isolation design

From: Arthur Corliss <corliss(at)digitalmages.com>
Date: Thu Aug 23 2007 - 12:49:15 EDT

On Wed, 22 Aug 2007, M. Burnett wrote:

> I have run across a design issue in VMware's scripting automation API that
> diminishes VM guest/host isolation in such a manner to facilitate privilege
> escalation, spreading of malware, and compromise of guest operating systems.
>
> VMware's scripting API allows a malicious script on the host machine to
> execute programs, open URLs, and perform other privileged operations on any
> guest operating system open at the console, without requiring any
> credentials on the guest operating system. Furthermore, the script can
> execute programs even if you lock the desktop of the guest OS.
>
> For example, if a non-admin user is logged in at the vm host, but logged in
> to guest operating systems as an administrator, the script running as a
> non-admin on the host can still execute admin-level scripts on the guests.
>
> I obviously did not discover this issue--the API developers provided it as a
> feature-I am simply pointing out the potential danger, that it was a poor
> design decision, and that there is a need to establish best practices for
> virtual machine guest and host isolation.

I don't see this as a serious problem. This is the virtual equivalent of no physical security. If the host OS (or an account within it) is compromised, of course all bets are off when it comes to a virtual machine running within it.

Furthermore, this attack only works if you are running the vmware guest utilities *and* you are currently logged into a GUI desktop running the vmware userland process.

I personally look at this as an issue for Windows. I personally don't install the vmware guest software for my Linux VMs, nor would I log into a GUI as root. For that matter, if you are merely hosting the guest VMs why would you need to ever use the vmware console after installation? Use a network-based access method, making the need for the vmware guest utilities unnecessary. That should be sufficient for all OS'es.

In (not so) short, this attack vector is virtually worthless if reasonable security practices are employed.

 	--Arthur Corliss
 	  Live Free or Die

Received on Thu Aug 23 15:27:41 2007

This message: [ Message body ]
Next message: security(at)mandriva.com: "[ MDKSA-2007:170 ] - Updated gimp packages fix input data validation issues in several plugins"
Previous message: Gynvael Coldwind: "X-Diesel Unreal Commander v0.92 (build 573) multiple vulnerabilities"
In reply to: M. Burnett: "VMWare poor guest isolation design"
Next in thread: M. Burnett: "RE: VMWare poor guest isolation design"
Reply: M. Burnett: "RE: VMWare poor guest isolation design"
Reply: William Holmberg: "RE: VMWare poor guest isolation design"
Reply: James C. Slora Jr.: "RE: VMWare poor guest isolation design"
Reply: Jonathan Yu: "Re: VMWare poor guest isolation design"
Reply: Matt Richard: "Re: VMWare poor guest isolation design"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 28 2007 - 06:13:17 EDT