[Security-announce] Critical Windows based VMware Workstation, VMware Player, and VMware ACE Alert
security-announce at lists.vmware.com
security-announce at lists.vmware.com
Fri Feb 22 18:13:25 PST 2008
-----BEGIN PGP SIGNED MESSAGE-----
~ VMware Security Alert
Synopsis: Critical Windows based VMware Workstation,
~ VMware Player, and VMware ACE Alert
Issue date: 2008-02-22
Updated on: 2008-02-22
CVE numbers: similar to CVE-2007-1744
KB URL: http://kb.vmware.com/kb/1004034
~ On Windows hosts, if you have configured a VMware Host to Guest
~ shared folder, it is possible for a program running in the guest
~ to gain access to the host's complete file system and create or
~ modify executable files in sensitive locations.
2. Relevant releases:
~ Windows hosted versions of:
~ VMware Workstation 6.0.2 and earlier,
~ VMware Workstation 5.5.4,and earlier,
~ VMware Player 2.0.2 and earlier,
~ VMware Player 1.0.4 and earlier,
~ VMware ACE 2.0.2 and earlier,
~ VMware ACE 1.0.2 and earlier,
NOTE: VMware Server is not affected because it doesn't use
~ shared folders.
~ No versions of ESX Server, including ESX Server 3i,
~ are affected by this vulnerability. Because ESX
~ Server is based on a bare-metal hypervisor architecture,
~ not a hosted architecture, and it doesn't include any
~ shared folder abilities.
~ Fusion and Linux based hosted products are unaffected.
3. Problem description: (from Core Security Technologies
~ advisory http://www.coresecurity.com/?action=item&id=2129)
~ To improve user inter-operation with virtualized systems
~ VMware's software implements a number of inter-system
~ communication features. The Shared Folder mechanism
~ is one of such feature.
~ VMware's shared folders allow users to transfer data between
~ a virtualized system (Guest) and the non-virtualized Host
~ system that contains it. This form of data transfer is
~ available to users of the Guest system through read and write
~ access to filesystem folders shared by both Guest and Host
~ systems. To maintain effective isolation between Guest and
~ Host systems, these mechanism should limit access from the
~ Guest only to the Host system's folders that are selected
~ for sharing with the virtualized guests.
~ A vulnerability was found in VMware's shared folders
~ mechanism that grants users of a Guest system read and
~ write access to any portion of the Host's file system
~ including the system folder and other security-sensitive
~ files. Exploitation of this vulnerability allows attackers
~ to break out of an isolated Guest system to compromise the
~ underlying Host system that controls it.
~ By default, the shared folders feature is disabled in
~ Workstation 6, Player 2, and ACE 2. In order to
~ exploit this vulnerability, the Virtual Machine must
~ have the shared folders feature manually enabled and
~ at least one folder configured for sharing between the
~ host and guest. Given the requirements of the
~ vulnerability it is not exploitable by default in
~ Workstation 6, Player 2, and ACE 2.
~ Workstation 5, Player 1, and ACE 1 enable the shared
~ folders feature by default, but exploiting this
~ vulnerability still requires at least one folder to
~ be configured as shared between the host and guest.
~ Given the requirements of the vulnerability it is not
~ exploitable by default in Workstation 5, Player 1, and
~ ACE 1.
~ The issue affects all currently supported Windows based
~ versions of VMware Workstation, ACE and Player . It
~ does not affect VMware ESX Server or VMware Desktop
~ Infrastructure products. We have had no reports of this
~ issue occurring in customer environments.
~ Users of Windows based products should implement
~ this workaround:
~ Disable shared folders until a patch can be created.
~ Global Setting:
~ This is done by going into the menu item 'Edit' and
~ then selecting 'Preferences'. In the Workspace tab,
~ under Virtual Machines uncheck the
~ 'Enable all shared folders by default'.
~ Individual Virtual Machine Settings:
~ This is done by going into the menu item 'VM' and
~ selecting settings. Choose the Options tab, and
~ then select shared folders, and select disable.
~ CVE numbers
E-mail list for product security notifications and announcements:
This Security Alert is posted to the following lists:
~ * security-announce at lists.vmware.com
~ * bugtraq at securityfocus.com
~ * full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
VMware security web site
VMware security response policy
General support life cycle policy
VMware Infrastructure support life cycle policy
Copyright 2008 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Security-announce