Re: VMWare poor guest isolation design

On Wed, 22 Aug 2007, M. Burnett wrote:

I have run across a design issue in VMware's scripting automation API that
diminishes VM guest/host isolation in such a manner to facilitate privilege
escalation, spreading of malware, and compromise of guest operating systems.

VMware's scripting API allows a malicious script on the host machine to
execute programs, open URLs, and perform other privileged operations on any
guest operating system open at the console, without requiring any
credentials on the guest operating system. Furthermore, the script can
execute programs even if you lock the desktop of the guest OS.

For example, if a non-admin user is logged in at the vm host, but logged in
to guest operating systems as an administrator, the script running as a
non-admin on the host can still execute admin-level scripts on the guests.

I obviously did not discover this issue--the API developers provided it as a
feature-I am simply pointing out the potential danger, that it was a poor
design decision, and that there is a need to establish best practices for
virtual machine guest and host isolation.

I don't see this as a serious problem. This is the virtual equivalent of no
physical security. If the host OS (or an account within it) is compromised,
of course all bets are off when it comes to a virtual machine running within
it.

Furthermore, this attack only works if you are running the vmware guest
utilities *and* you are currently logged into a GUI desktop running the
vmware userland process.

I personally look at this as an issue for Windows. I personally don't
install the vmware guest software for my Linux VMs, nor would I log into a
GUI as root. For that matter, if you are merely hosting the guest VMs why
would you need to ever use the vmware console after installation? Use a
network-based access method, making the need for the vmware guest utilities
unnecessary. That should be sufficient for all OS'es.

In (not so) short, this attack vector is virtually worthless if reasonable
security practices are employed.

--Arthur Corliss
Live Free or Die

Relevant Pages

  • RE: VMWare poor guest isolation design
    ... VMWare poor guest isolation design ... VMware's scripting API allows a malicious script on the host machine ... this attack only works if you are running the vmware guest ...
    (Bugtraq)
  • VMWare poor guest isolation design
    ... escalation, spreading of malware, and compromise of guest operating systems. ... VMware's scripting API allows a malicious script on the host machine to ... guest operating system open at the console, ... use virtual machines for everything from testing to critical server roles. ...
    (Bugtraq)
  • Re: Shutting down guests in VS hosted on physical cluster
    ... Shut down guest O/S as though a normal machine. ... service (by way of the havm.vbs script) detects this as a "failure" so ... http://www.clusterhelp.com - Cluster Training ... I thought about using the VS scripting interface to shutdown the guest, ...
    (microsoft.public.windows.server.clustering)
  • Re: Lost "guest" user, cannot get back.
    ... You don't want to grant access to a login ... within the databases where you want a guest account. ... Are you running a script to do "setup" of the server? ...
    (microsoft.public.sqlserver.security)
  • Re: David Mitchell to replace Paul Merton on HIGNFY (Re: Peep Show cast)
    ... leave then Mitchell would be the right person to replace him. ... Michael Burke knows how to work an autocue and ... but they need to fire his script writers. ... That's the precise problem with guest presenters. ...
    (uk.media.tv.misc)