A vulnerability uncovered by security researchers at CoreLabs does not prove that virtual environments are no longer viable testing grounds for malicious code, according to officials at VMware.
Experts at CoreLabs, the research arm of Boston-based Core Security Technologies, have discovered an exploit targeting VMware’s desktop software that could allow attackers to break out of the isolated environment to gain full access to the host system.
The vulnerability lies in an improper validation of the PathName parameter passed by a malicious program or user in the guest system to VMware’s Shared Folders mechanism, which in turn passes it to the host computer’s file system. The researchers discovered that by using a specially crafted PathName to access a VMware shared folder, it is possible to gain complete access to the host’s file system-permitting hackers to get their hands on executable files.
For companies accustomed to testing in virtual environments, this vulnerability means any malicious code introduced in the virtual environment could propagate to the actual operating system, said Ivan Arce, chief technology officer of Boston-based Core Security Technologies.
“[This] shows the perceived isolation of a virtual environment may not be so,” Arce said. “The perception is that [virtualization is] some sort of magical thing; it’s immune to bugs.”
However, Jerry Chen, senior director of enterprise desktop at VMware, noted that users have to enable the Shared Folders feature to be vulnerable to an exploit targeting this issue. Furthermore, when a user enables the feature there is a warning indicating isolation no longer exists, he said. In addition, anyone using a virtual environment to test applications is unlikely to have the feature enabled so as to protect the host operating system from any threats, he explained.
“A virtual machine intrinsically is a very strong container,” Chen said.
Many organizations use virtual environments as testing grounds for applications because they can support multiple OS and development environments without long-term dedication of specific hardware and software resources, explained industry analyst Charles King.
“As a result, virtualized environments can help developers respond to market changes and potential threats more quickly and effectively, helping to ensure more rapid responses,” said King, an analyst with Pund-IT.
According to CoreLabs, the vulnerability affects VMware Workstation, Player and ACE software. Researchers found the vulnerability while developing an exploit for a similar vulnerability uncovered by iDefense Labs last year.
Vulnerable VMware products that implement the Shared Folders feature fail to properly sanitize malicious input in the PathName parameter. Although stricter input validation was used to fix the vulnerability discovered by iDefense, the shared folder mechanism still provides complete access to the underlying file system of the host system due to improper handling of strings with multi-byte codings.
Chen said VMware is working on a patch to address the issue. In the meantime, organizations can mitigate risk by disabling the Shared Folders feature in all installations of the vulnerable software, or configuring it to allow read-only access to the Host folder, which may still provide limited mitigation, according to CoreLabs.