The following guest post was sent to Microsoft Subnet by the same security pro who sent us an analysis of the Intel CPU cache poisoning — noting that it was dangerously easy on Linux, compared to Windows (with the caveat that the attacker can somehow gain admin-level access rights). Today, we are looking at another vulnerability announced a few weeks ago — the host code execution vulnerability from a guest operating system.
A critical vulnerability in the virtual machine display function might allow a guest operating system to run code on the host via a bug that affects just about all of VMware products, including Fusion and ESX. This is of course the Holy Grail for any VM attacker and the worst-case scenario for the host VM owner. If this bug were exploited, it would allow an attacker to jump out of say a Windows XP VM instance down to your HOST system, say Mac OSX or Windows XP. But there’s no reason for panic. VMware released a fix on March 10 via a critical security advisory. VMware obviously recommends all customers upgrade to the fixed versions pronto. The good news is that there are no known exploits in the wild as of right now but, unlike many other bugs, the advisory also doesn’t state if the attacker needs to have administrator rights on a VM in order to perform this exploit or just regular user rights.
A senior researcher from Immunity Inc., Kostya Kortchinsky (the one who allegedly discovered the bug) has written proof of concept exploit code to demonstrate the attack. Kostya has posted a video of his code, called Cloudburst, in action. The video depicts a guest Virtual Machine running Windows XP launching the Cloudburst program which, when executed, jumps out of that VM and runs code on the host Windows Vista machine. In this case it launches the calculator program on the host machine.
This type of attack vector reinforces some of my personal beliefs about securing VM instances. You need to protect your guest VM’s even more vigilantly than a regular machine. If you compromise a regular machine you own that machine. If you compromise a single guest VM then you could potentially jump off that VM and own the host and all the other VMs that run on the host. A security alert like the one in this article proves that out.
One best practice for securing virtual machines is to group like security level VMs together on physical host servers. Said another way, don’t put a highly critical VM onto the same host physical server with a low critical VM. Less critical VM servers generally tend to be maintained and secured less vigilantly than highly business critical VMs. That gives you your weakest link attack vector next to your high value targets.
With the VMware patches out, all that’s required is diligence about applying them corporate wide. I’m still a Fusion user myself. I have moved over to a MacBook. My transition has been exceptional in every way. However, some programs only run on Windows so I run VMWare’s Fusion with a VM of Windows XP for those. Most corporate Mac users do this same thing. It performs very well (quicker than my Windows laptop in fact) and when your windows VM starts acting up you just restore a previous known good snapshot of it and everything is better again. It’s analogous to re-installing your Microsoft OS and all programs, except it only takes about two minutes. Very useful indeed!
Now, if you haven’t already, please go and secure and patch your VMware systems. And if you’ve had any issues with applying the new patches, please post a comment and share.
Disclaimer: this guest post was written by someone who is not associated with Microsoft or with VMware. If you have a guest post you’d like to share, please contact Microsoft Subnet editor Julie Bort.
Visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
Using offshore certified Microsoft partners? Beware of security holesWindows 7 and ISOs, Hyper-V and NLB, and SakuraMeet me in … a Meeting Workspace: Tips and Best PracticesMicrosoft OpsMgr R2 release candidate available, will ship end of JuneMicrosoft Vine, Web Sandbox and other nifty beta appsWindows 7 arrives, supports “virtual” XP12 killer freebie SharePoint add-onsCloud computing is cheaper, greener but not yet enterprise ready.Net Services: Microsoft’s key to cloud security and Java interoperabilityFollow Microsoft Subnet on Twitter




