[Security-announce] Critical Windows based VMware Workstation, VMware Player, and VMware ACE Alert

security-announce at lists.vmware.com security-announce at lists.vmware.com
Fri Feb 22 18:13:25 PST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
~                   VMware Security Alert

Synopsis:          Critical Windows based VMware Workstation,
~                   VMware Player, and VMware ACE Alert
Issue date:        2008-02-22
Updated on:        2008-02-22
CVE numbers:       similar to CVE-2007-1744
KB URL:            http://kb.vmware.com/kb/1004034
- -------------------------------------------------------------------

1. Summary:

~   On Windows hosts, if you have configured a VMware Host to Guest
~   shared folder, it is possible for a program running in the guest
~   to gain access to the host's complete file system and create or
~   modify executable files in sensitive locations.

2. Relevant releases:

~   Windows hosted versions of:
~      VMware Workstation 6.0.2 and earlier,
~      VMware Workstation 5.5.4,and earlier,
~      VMware Player 2.0.2 and earlier,
~      VMware Player 1.0.4 and earlier,
~      VMware ACE 2.0.2 and earlier,
~      VMware ACE 1.0.2 and earlier,

NOTE: VMware Server is not affected because it doesn't use
~      shared folders.

~      No versions of ESX Server, including ESX Server 3i,
~      are affected by this vulnerability.  Because ESX
~      Server is based on a bare-metal hypervisor architecture,
~      not a hosted architecture, and it doesn't include any
~      shared folder abilities.

~      Fusion and Linux based hosted products are unaffected.

3. Problem description: (from Core Security Technologies
~   advisory http://www.coresecurity.com/?action=item&id=2129)

~   To improve user inter-operation with virtualized systems
~   VMware's software implements a number of inter-system
~   communication features. The Shared Folder mechanism
~   is one of such feature.

~   VMware's shared folders allow users to transfer data between
~   a virtualized system (Guest) and the non-virtualized Host
~   system that contains it. This form of data transfer is
~   available to users of the Guest system through read and write
~   access to filesystem folders shared by both Guest and Host
~   systems. To maintain effective isolation between Guest and
~   Host systems, these mechanism should limit access from the
~   Guest only to the Host system's folders that are selected
~   for sharing with the virtualized guests.

~   A vulnerability was found in VMware's shared folders
~   mechanism that grants users of a Guest system read and
~   write access to any portion of the Host's file system
~   including the system folder and other security-sensitive
~   files. Exploitation of this vulnerability allows attackers
~   to break out of an isolated Guest system to compromise the
~   underlying Host system that controls it.

4. Solution:

~   By default, the shared folders feature is disabled in
~   Workstation 6, Player 2, and ACE 2.  In order to
~   exploit this vulnerability, the Virtual Machine must
~   have the shared folders feature manually enabled and
~   at least one folder configured for sharing between the
~   host and guest.  Given the requirements of the
~   vulnerability it is not exploitable by default in
~   Workstation 6, Player 2, and ACE 2.

~   Workstation 5, Player 1, and ACE 1 enable the shared
~   folders feature by default, but exploiting this
~   vulnerability still requires at least one folder to
~   be configured as shared between the host and guest.

~   Given the requirements of the vulnerability it is not
~   exploitable by default in Workstation 5, Player 1, and
~   ACE 1.

~   The issue affects all currently supported Windows based
~   versions of VMware Workstation, ACE and Player .  It
~   does not affect VMware ESX Server or VMware Desktop
~   Infrastructure products.  We have had no reports of this
~   issue occurring in customer environments.

~   Users of Windows based products should implement
~   this workaround:

~   Disable shared folders until a patch can be created.

~   Global Setting:
~   This is done by going into the menu item 'Edit' and
~   then selecting 'Preferences'. In the Workspace tab,
~   under Virtual Machines uncheck the
~   'Enable all shared folders by default'.

~   Individual Virtual Machine Settings:
~   This is done by going into the menu item 'VM' and
~   selecting settings.  Choose the Options tab, and
~   then select shared folders, and select disable.

5. References:

~  http://www.coresecurity.com/?action=item&id=2129
~  CVE numbers
~  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1744
~  http://www.securityfocus.com/bid/27944

6. Contact:

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Alert is posted to the following lists:

~  * security-announce at lists.vmware.com
~  * bugtraq at securityfocus.com
~  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com

VMware security web site
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHv4FES2KysvBH1xkRCA3HAJ9hLbkzQGgoDxyGWRRPJ7TzahS04ACfV45c
aUYbj80xkvU0tme7iuSEKD0=
=xp25
-----END PGP SIGNATURE-----

More information about the Security-announce mailing list