Updated: VMware poor guest isolation design
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
*Summary*
VMware VIX API 1.1 supports an option that allows users with privileges
on the host machine to execute programs on a guest operating system
under the identity of a user currently logged into the guest. For
example, if user A powers on a virtual machine (VM) and logs into the
guest operating system, then a user B who has privilege on the host
machine to connect to that VM can also write scripts that will
anonymously run programs in the VM guest operating system as user A.
Note that the only users who can access the VM this way are either the
same users who have powered on the VM or an administrator on the host.
*Affected products:*
This behavior is only present in Workstation 6.0, Workstation 6.0 with
ACE Option Pack, and VMware Player 2.0.
This issue does not affect any released version of VMware Server, VMware
ESX Server, or VMware GSX Server.
This issue also does not affect deployed ACE 2.0 virtual machines.
*How to disable this behavior*
You can disable this behavior by adding an entry to the host
configuration file. This will override any VM-specific configuration and
globally disable the behavior for all virtual machines running on the host.
The host configuration is owned by the System/root account, so it is
protected against non-root users who have virtual machines on the system.
This behavior can be disabled at the host level by adding the following
line to the host configuration file:
guest.commands.anonGuestCommandsRunAsConsoleUser = "FALSE"
On Linux, the default pathname for this file is:
/usr/lib/vmware/settings
(Note that "settings" is the file name, not another directory name.)
On Windows (except Windows Vista), the default pathname for this file is:
C:\Documents and Settings\All Users\Application
Data\VMware\VMware Workstation\settings.ini
On Windows Vista, the default pathname for this file is:
C:\ProgramData\VMware\VMware Workstation\settings.ini
(Note that on Windows Vista, the "ProgramData" directory may be hidden
by default.)
If you installed the product in a custom location, then the path name
for the configuration file may be different.
Normally, the file will not exist. If the file does not exist, then
first create a new blank text file named "settings" on Linux and
"settings.ini" on Windows and then add the new settings line.
Alternatively, you can also add the following line to the VMX
configuration file to disable the behavior on a per-VM basis:
guest.commands.anonGuestCommandsRunAsConsoleUser=FALSE
The only feature of VMware Workstation that relies on this behavior is
the Integrated Virtual Debugger, i.e. the optional plugins for Eclipse
IDE and Microsoft Visual Studio. Disabling this login mode as documented
above will disable this feature.
In addition, VIX API client programs and scripts which depend on this
login mode while calling VixVM_LoginInGuest will need to be modified to
use a username and password to login to the guest.
*The rationale for this design decision*
We added this functionality to VMware Workstation in order to provide a
seamless user experience using Integrated Virtual Debugger – a user will
not be prompted to log-in each time a program is launched to run/debug
inside a VM.
We determined that, although this automates interaction with the guest
operating system, this is not a /bona fide/ escalation of privileges in
the guest operation system because any user who can access the VM this
way can already open the user interface and manually interact with the
guest under the identity of the currently logged-in user.
In other words, if you are able to connect to a running VM, you need to
be either the user who powered on the VM, or you are an administrator of
the host. So, this behavior only applies to users who already have
access to the VM.
However, we take this feedback very seriously, and we are reevaluating
this design decision for the next dot-release of Workstation.
For further questions regarding this issue or other security related
issues for VMware, please contact us at security@xxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFG1h1pS2KysvBH1xkRCPUmAJ0TIfQlGDl6t7Rad+HeAyldW5KtHgCeLwlj
Sij6woX7EFYylIN9q8Q73OA=
=wnfC
-----END PGP SIGNATURE-----