Companies rushing to adopt virtualization technology have been eager to spread computing loads across fewer machines and thereby reduce IT costs. But many have also been drawn by the widely held belief that virtualization makes IT systems more secure, by isolating a physical host from the virtualized or “guest” operating systems and applications running on top of it—thereby keeping any security breaches in one from reaching the other. Yet a serious vulnerability in workstation virtualization software made by VMware (NYSE: [[ticker:VMW]]), discovered by engineers at Boston-based Core Security, shows that under some circumstances the wall between virtual and physical systems may be far thinner than most virtualization customers realize—and that, in the words of Core Security co-founder and CTO Iván Arce, “it’s wrong to think that just by spreading virtualization all over your organization you will be more secure.”
The vulnerability, which Core Security reported to VMware last October* and announced publicly on Monday, affects the Windows versions of three related VMware products—Workstation, ACE, and Player. VMware Workstation allows the user of a desktop machine to create a virtual computer-within-the-computer that can run a different operating system than the host machine. ACE is used to managed virtual desktops across an organization, and Player is a free program that runs evaluation copies of virtualized applications from several vendors. All three programs utilize a feature called Shared Folders that allows users to transfer files from folders on the virtual computer to folders on the host computer and vice-versa, as long as those folders have been specifically configured for sharing. Engineers at CoreLabs, Core Security’s research arm, discovered that when using Shared Folders, it’s possible to craft improper pathnames for the target folders that are not screened out by VMware’s software, and, in this way, to save files to any desired folder.
The technique they used exploited a variation on a vulnerability discovered and publicized by another security company, IDefense Labs, in March 2007, which VMware subsequently patched. (For geeks only: “The vulnerability that we found has to do with improper cleaning of the pathname,” Arce explains. The CoreLabs engineers’ exploit involves feeding the Shared Folders code an illegal substring of two dots—an instruction to Windows systems to jump up two levels in the hierarchy of directories. The engineers found that under certain circumstances they could place any desired pathname for the target folder after the dots, and that it would be ignored by software’s pathname validation process. “What VMware should do,” says Arce, “is whenever it sees a pathname that has a ‘..’ in it, it should remove the ‘..’ and the stuff that comes after it, because it’s invalid—it’s an attempt to escape the folder being shared.”)
In essence, the pathname screening failure gives any hacker who’s already got access to the virtual computer free reign over the host computer as well. “Through this vulnerability, code from the guest operating system can read, write, or even overwrite any file on the real operating system, including system files,” explains Arce, whom I reached in Buenos Aires, where Core Security’s research and development center is located. “That means a program running on the virtualized operating system could have full access to the real operating system—something that is not supposed to happen.”
A large contingent of employees at VMware—a subsidiary of Hopkinton, MA-based EMC (NYSE: [[ticker:EMC]])—has decamped this week to Cannes, France, where the company’s first large European user conference, VMworld Europe, got underway yesterday. But I was able to get through to Jerry Chen, VMware’s senior director of enterprise desktop software, to talk about the Core Security announcement. Chen acknowledges that the vulnerability exists, and he said the company is working on patch for it. But he insists that
