RE: VMWare poor guest isolation design

To: William Holmberg <wholmberg@xxxxxxxxx>
Subject: RE: VMWare poor guest isolation design
From: Arthur Corliss <corliss@xxxxxxxxxxxxxxxx>
Date: Thu, 23 Aug 2007 23:16:17 -0800 (AKDT)
Cc: "M. Burnett" <mb@xxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <5971DD44F005414ABA552FC57B2B6A77400F1E@xxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <008001c7e534$e4b84490$ae28cdb0$@net> <Pine.LNX.4.64.0708230834211.13100@xxxxxxxxxxxxxxxxxxxxxxxx> <5971DD44F005414ABA552FC57B2B6A77400F1E@xxxxxxxxxxxxxxxxxxxxxxx>

On Thu, 23 Aug 2007, William Holmberg wrote:

Arthur,
Perhaps there are implementations in certain businesses that require
those things. It is possible you may not be the only person with that
level of access, particularly in a large environment with 50 or so DA's,
and 10's of 1000's of users, with dozens or hundreds of VM's...

Looked at in the perspective that you don't *own* the hardware and the
VM's on them, would that alter your answer at all?


I think a realistic example would be a mass hosting company where your vm
resides on a server with other potentially hostile vms.  First off, you're
not vulnerable via this technique by those other users.  Guests can't spawn
processes in the host OS.

So, the only risk is the from your hosting company's admins, and any
rational person would have already evaluated the assumption of risk and
chosen to *not* place sensitve, proprietary data on that box in the first
place.  Remember, you have no physical security at that point, so all bets
are already off.

But, say you can accept that risk -- you can still eliminate that attack
vector by a) not running the guest utilities *or* b) not logging onto the
(virtual) local console.  Please correct me if I'm wrong, but that's a
prerequisite in order for this to work, because the listening agent for
those commands runs as a userland process.  Use ssh or RDP (and if you're
using RDP w/Windows then for god's sake *disable* the guest utilities,
because they provide *no* value for remote connections).

In this scenario I still don't believe this is an issue, especially since
it's that easy to disable.

Extending this to an internal corporate platform changes nothing.  In a sane
deployment the large groups of admins would only have access to vms, not the
host platform.  Only a select group of admins would have access to the host
OS, and then common security practices of logging & auditing applies.  The
number of potential abusers are minimal, and with remote logging to servers
under the security team's control the ability to cover their tracks is
extremely difficult.

Am I missing something, or is this still much ado about nothing?  I agree
that that functionality should be very clearly labeled, and probably beyond
what vmware currently does.  But overall, this is a very easily managed
vector.

        --Arthur Corliss
          Live Free or Die

References:
- VMWare poor guest isolation design
  - From: M. Burnett
- Re: VMWare poor guest isolation design
  - From: Arthur Corliss
- RE: VMWare poor guest isolation design
  - From: William Holmberg

Prev by Date: Tikiwiki 1.9.7 HTML/embed object injection
Next by Date: RE: VMWare poor guest isolation design
Previous by thread: RE: VMWare poor guest isolation design
Next by thread: RE: VMWare poor guest isolation design
Index(es):
- Date
- Thread