Last Updated: 2008-06-01 13:56:42 UTC
by Mari Nichols (Version: 1)
I don't know how many of you work with VMware, but I have to thank Ed Skoudis for turning me on to virtualization in one of his classes long ago. Since that time, I have been using it as an invaluable tool for incident handling and testing patches and vulnerabilities. So, I found it interesting to see the VMware security advisory VMSA-2008-0008 sent from fellow handler Jim Clausing. Security Focus is reporting that there are no exploits in the wild at this time. These security vulnerabilities have been addressed in the newest releases of VMware's hosted product line. The advisory affects the following products:
VMware Workstation 6.0.3 and earlier
VMware Player 2.0.3 and earlier
VMware ACE 2.0.3 and earlier
VMware Fusion 1.1.1 and earlier
Windows based VMCI arbitrary code execution vulnerability
VMware says that VMCI was introduced in VMware Workstation 6.0, VMware Player 2.0, and VMware ACE 2.0 and It is an experimental, optional feature that allows virtual machines to communicate with one another. With VMCI enabled a guest may execute arbitrary code in the context of the vmx process on the host. This is a compiler dependent vulnerability and only affects systems running on windows hosts. An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successfully exploiting this issue can completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition.
VMware Host Guest File System (HGFS) shared folders
Secondly, this feature allows users to transfer data between a guest operating system and the non-virtualized host operating system that contains it. The vulnerability is a heap buffer overflow. Exploitation of this flaw might allow an unprivileged guest process to execute code in the context of the vmx process on the host. In order to exploit this vulnerability, the VMware system must have at least 1 folder shared. One good thing about this vulnerability is that if you are using the default setting, you are not vulnerable. The vulnerability only applies if you have changed the settings to share folders. VMware Server, ESX and ESXi do not provide the shared folders feature so they are not vulnerable.