VMware Flaw Shows Virtualized Systems Aren’t Necessarily More Secure, Boston Firm Argues
Companies rushing to adopt virtualization technology have been eager to spread computing loads across fewer machines and thereby reduce IT costs. But many have also been drawn by the widely held belief that virtualization makes IT systems more secure, by isolating a physical host from the virtualized or “guest” operating systems and applications running on top of it—thereby keeping any security breaches in one from reaching the other. Yet a serious vulnerability in workstation virtualization software made by VMware (NYSE: VMW), discovered by engineers at Boston-based Core Security, shows that under some circumstances the wall between virtual and physical systems may be far thinner than most virtualization customers realize—and that, in the words of Core Security co-founder and CTO Iván Arce, “it’s wrong to think that just by spreading virtualization all over your organization you will be more secure.”
The vulnerability, which Core Security reported to VMware last October* and announced publicly on Monday, affects the Windows versions of three related VMware products—Workstation, ACE, and Player. VMware Workstation allows the user of a desktop machine to create a virtual computer-within-the-computer that can run a different operating system than the host machine. ACE is used to managed virtual desktops across an organization, and Player is a free program that runs evaluation copies of virtualized applications from several vendors. All three programs utilize a feature called Shared Folders that allows users to transfer files from folders on the virtual computer to folders on the host computer and vice-versa, as long as those folders have been specifically configured for sharing. Engineers at CoreLabs, Core Security’s research arm, discovered that when using Shared Folders, it’s possible to craft improper pathnames for the target folders that are not screened out by VMware’s software, and, in this way, to save files to any desired folder.
The technique they used exploited a variation on a vulnerability discovered and publicized by another security company, IDefense Labs, in March 2007, which VMware subsequently patched. (For geeks only: “The vulnerability that we found has to do with improper cleaning of the pathname,” Arce explains. The CoreLabs engineers’ exploit involves feeding the Shared Folders code an illegal substring of two dots—an instruction to Windows systems to jump up two levels in the hierarchy of directories. The engineers found that under certain circumstances they could place any desired pathname for the target folder after the dots, and that it would be ignored by software’s pathname validation process. “What VMware should do,” says Arce, “is whenever it sees a pathname that has a ‘..’ in it, it should remove the ‘..’ and the stuff that comes after it, because it’s invalid—it’s an attempt to escape the folder being shared.”)
In essence, the pathname screening failure gives any hacker who’s already got access to the virtual computer free reign over the host computer as well. “Through this vulnerability, code from the guest operating system can read, write, or even overwrite any file on the real operating system, including system files,” explains Arce, whom I reached in Buenos Aires, where Core Security’s research and development center is located. “That means a program running on the virtualized operating system could have full access to the real operating system—something that is not supposed to happen.”
A large contingent of employees at VMware—a subsidiary of Hopkinton, MA-based EMC (NYSE: EMC)—has decamped this week to Cannes, France, where the company’s first large European user conference, VMworld Europe, got underway yesterday. But I was able to get through to Jerry Chen, VMware’s senior director of enterprise desktop software, to talk about the Core Security announcement. Chen acknowledges that the vulnerability exists, and he said the company is working on patch for it. But he insists that the vulnerability is not a sign of any intrinsic flaw in the isolation that VMware’s software imposes between host and guest systems.
“We have a lot of users who use virtual machines and workstations specifically because of the strong isolation that virtualization provides,” Chen says. “Most of them are not affected, because they do not use this Shared Folders feature. And when you do use this feature—which is off by default—we specifically give you a warning saying that you are exposing yourself to security risks; that once you open up this path between the two operating systems, you are exposing both operating systems to vulnerabilities, and all bets are off.”
Well, not all bets, since VMware clearly doesn’t regard turning on the Shared Folders feature as tantamount to inviting hackers into the system; its developers have taken and are taking steps to head off pathname modification exploits like the one that IDefense Labs and Core Security discovered. Chen’s key point is that users should leave the Shared Folders feature off if they want the full isolation between the host and guest systems that VMware promises. “Intrinsically, the virtual machine is fully isolated, unless you as a user have to constantly break that isolation,” Chen says. “Customers who want pure isolation wouldn’t use this feature, and the fact that we disable it by default means you’re not exposed to it.”
(In the most recent major release of VMware Workstation, the 6.0 release, Shared Folders is indeed turned off by default. But Arce points out that in previous versions, Shared Folders was turned on by default. I wasn’t able to determine whether Shared Folders is on or off in current and older versions of ACE and Player.)
Chen points out that while customers are waiting for a patch, there’s an easy workaround to prevent anyone from exploiting the newly discovered pathname screening vulnerability: turn off Shared Folders. “You can still share files via Windows networking or e-mailing files to yourself, or however you would normally share files between two physical PCs,” Chen says. “So we don’t think that the end user value is impaired by this vulnerability. But we still do plan to offer a patch for the vulnerability in the near future.” The patch could go out as part of an automatic update for the three programs as soon as two weeks from now, says Chen.
In promising a patch, VMware is acknowledging that it has a responsibility to minimize the security risk posed by the Shared Folders feature. But even with the patch—to return to Chen’s point—the company won’t be promising perfect security, since file sharing is probably always fundamentally dangerous. And that’s not so different, in the end, from Arce’s larger message: with or without perfect isolation, virtualization is no security panacea.
“There are many good reasons for adopting virtualization technologies at different places in an organization,” Arce says. “But if one of those reasons is to improve the security posture of the organization, then that should be considered carefully. It’s not going to happen just because you virtualize your organization’s IT. You have to learn about the all the risks—what it is exactly that you are deploying and how secure it is.”
*Correction, 2/27/08, 10:24: Core Security contacted us this morning to say that it reported the vulnerability to VMware on October 16, 2007—not last week, as the story previously stated. I regret the error. -WR