VMware has failed to fix a severe bug in its virtualization software that can expose users' critical information, according to a security company.
The revelation comes days before the vendor's VMworld event in France, where VMware is expected to announce an important security initiative in partnership with other major companies.
The announcement shows that virtualization software is just as vulnerable as any other software, according to security vendor Core Security Technologies, which is releasing software that demonstrates the problem.
Core has released proof-of-concept exploit software, which it says demonstrates a serious flaw in VMware's desktop virtualization software that could give hackers control of virtualized systems, and which it claims VMware has been aware of for four months.
The security vendor is releasing the exploit in the week of the VMworld event in the hope that publicity will force VMware to take action, and to make users aware of the problem and enable them to "safely assess the consequences of an actual network intrusion", and apply a simple workaround to avoid the problem.
The vulnerability could allow an attacker to create or modify executable files on the host operating system, through weaknesses in VMware's shared folders feature. Hackers can use a specially crafted PathName to access a VMware shared folder, because VMware does not properly validate PathNames, according to Iván Arce, chief technology officer at Core.
The demonstration reveals that virtualization environments are no safer than any other software environment, according to Arce: "Organizations often adopt virtualization technologies with the assumption that the isolation between the host and guest systems will improve their security posture.
This vulnerability provides an important wake-up call to security-concerned IT practitioners. It signals that virtualization is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments."
CoreLabs staff found the vulnerability in October, while investigating a similar vulnerability in VMware Workstation disclosed by Greg McManus of IDefense Labs in March 2007.
"Since October we have been exchanging e-mail messages with the VMware security team," said Arce. "The fix was supposed to be released in December, then January, then February. The workaround is simple and easy, so rather than continue to wait, we felt we should inform the users, and then wait for an official response."
To avoid the flaw, users have to disable shared folders and use alternative methods to share files, said Arce: "If they need to transfer files, there are other ways to do this. It shouldn't be too difficult." If they need shared folders, it is safe to configure it for read-only access and/or use file system monitoring on the host operating system.
Shared folders is turned on by default, so most VMware users could be vulnerable, according to Core. Despite VMware's delays, Arce believes the company is on the right track: "This is the first time we have dealt with VMware, and I think they do have the right skill set in terms of security," he told ZDNet Asia sister site ZDNet. "I think they could improve their processes, but compared to other vendors they are not the worst or the best. Virtualization is no more secure than any other software."
"Path traversal vulnerabilities" like this, also found in Web server software and Web applications, generally involve the specification of pathnames that include the ".." substring to escape out of folder access restriction. To prevent this type of attack, it is common to filter out the potentially malicious substring from input received from untrusted sources, according to Core's release.
VMware is preparing its own security initiative, called VMsafe, to be launched at VMworld, according to reports by Reuters, in which unnamed sources say the company is working with Symantec, McAfee, IBM's ISS division, Check Point and the RSA security unit of VMware parent EMC.
VMware did not respond to requests for information by press time.
Play video
» Achieve enhanced server performance with energy-efficient blade technology
A perfect backup Software
Hi Peter, This article: VMware security bug exposed is a thumbs-up!
I have always depended heavily on backing up in virtual environments. "'Real' environments aren't safe simply because they sit behind virtual environments." After carefully reading the security bug VMware had and hearing stories about how automatic backup did not back up appropriately in virtual environments because we trust in the professionalism of the software that we automatically assume it to be completely protected and working at all times that even if it has bugs, when we realize them, it may already to too late to recover those files and documents that were not automatically cloned like they were suppose to.
First of all, VMware is most likely working hard to fix this bug now that it's public and distributors may be discouraged to sign agreement contracts. I'm sure this article will be outdated soon in its specificity on VMware, but its ideas are long-lasting in regards to opinion on virtual environment.
Thus, I'm taking a step back in technology. Though it may take a bit more time to clone images to a physical disc, it is definitely worthwhile.
Or use USB Hot Drive, a feature offered in few software such as Acronis, to back up and recover from a physical USB. A plus about this feature is that: after a virus or hacker attack that deleted your programs, you have to wait hours for your hard drive to recover the cloned images. But you can access quickly in minutes through USB first.
Or, as offered by FarStone, snapshot allows automatic, incremental backup directly in a hidden partition of hard drive, well secured from virus and hackers. This insulates it as its own on the guest system.
Though not all the time, backing up in virtual environment truly does save time and ensure high rate of security on your computer offered by Symantec in Physical to Virtual image conversion feature.
Universal Restore included in DriveClone allows me to share the backup software in dissimilar hardware from Toshiba to Sony with no compatibility problem. So I won't have to buy individual software for each and every one of my laptop.
Although there is not one perfect, or the best backup software, there are exceptional ones out there which we can afford for our files to have insurance policies as our files become more and more important in the age of technology. Just like cars, our virtual words and files and tons of software and digital photo need to be insured. And it only cost around $60 usually. So far, I know DriveClone works the best for me because it offers backup in virtual and physical environment
Posted by Kuanglien on Wednesday, March 05 2008 02:40 AM