Many of you have probably heard about the recent Core Security findings which resulted in a security advisory CORE-2007-0930, Path Traversal vulnerability in VMware's shared folders implementation:
A vulnerability was found in VMware's shared folders mechanism that grants users of a Guest system read and write access to any portion of the Host's file system including the system folder and other security-sensitive files. Exploitation of these vulnerability allows attackers to break out of an isolated Guest system to compromise the underlying Host system that controls it.
Successful exploitation requires that the Shared Folder's feature to be enabled which is the default on VMware products that have the feature AND at least one folder of the Host system is configured for sharing.
VMware Shared Folders vulnerability
All versions of VMware's hosted products that include the Shared Folders feature are vulnerable:
- VMWare Workstation 6.0.2
- VMWare Workstation 5.5.4
- VMWare Player 2.0.2
- VMWare Player 1.0.4
- VMWare ACE 2.0.2
- VMWare ACE 1.0.2
VMware Fix for Shared Folders vulnerability
VMware has just released the VMSA-2008-0005 advisory, announcing a number of critical security threats identified and fixed in the next releases of hosted products.
The following security vulnerabilities have been addressed:
- Host to guest shared folder (HGFS) traversal vulnerability
- Insecure named pipes
- Updated libpng library to version 1.2.22 to address various security vulnerabilities
- Updated OpenSSL library to address various security vulnerabilities
- VIX API default setting changed to a more secure default value
- Windows 2000 based hosted products privilege escalation vulnerability
- DHCP denial of service vulnerability
- Local Privilege Escalation on Windows based platforms by hijacking VMware VMX configuration file
- Virtual Machine Communication Interface (VMCI) memory corruption resulting in denial of service
New versions of VMware hosted products
All the above security fixes are incorporated in the following new versions of VMware products, all available for an immediate download:
- VMware Workstation 6.0.3 (Build# 80004)
- VMware Workstation 5.5.6 (Build# 79688)
- VMware Server 1.0.5 (Build# 80187)
- VMware ACE 2.0.3 (Build# 80004) and VMware ACE 1.0.5 (Build# 79846)
- VMware Fusion 1.1.1
- VMware Player 2.0.3 (Build# 80004) and VMware Player 1.0.6 (Build# 80404)
Links:
- Core Security advisory: CORE-2007-0930
- VMware security advisory: VMSA-2008-0005
That's really thinking out of the box. Tnhkas!