VMware Patches Virtualization Flaws

Bugs would allow attackers with administrator-level access to cause a denial of service or even take control of a targeted environment.
VMware last week issued a security bulletin warning that many of its products have two bugs that could be exploited by attackers to cause a denial of service or even take control of a virtual environment.

To patch the vulnerabilities, VMware released new versions of affected software, which includes VMware Workstation 8.0.4 and later, Player 4.0.4 and later, Fusion 4.x (but not the Mac version), as well as all versions of ESXi and ESX.

"The advisory covers pretty much all of VMWare's virtualization platforms," said Johannes Ullrich, chief research officer at SANS Institute, in a blog post. "I would not consider either one of these as 'super critical', but in particular the first issue should be patched soon."

The first of the two flaws would allow an attacker to pass a malicious virtual machine to a virtualized VMware environment. "Input data is not properly validated when loading Checkpoint files," VMWare explained. "This may allow an attacker with the ability to load a specially crafted Checkpoint file to execute arbitrary code on the host." While there's no workaround for the vulnerability, VMware said that importing virtual machines only from trusted sources would prevent the flaw from being exploited.

[ For the latest in the Lulzsec hacker case, see Accused Lulzsec Hacker Fights Extradition To U.S.. ]

The second vulnerability, meanwhile, relates to traffic from remote virtual devices--meaning any device, such as a keyboard or CD-ROM drive, which is available to the virtual machine--being handled incorrectly. "This may allow an attacker who is capable of manipulating the traffic from a remote virtual device to crash the virtual machine," noted VMware. While the company detailed no workarounds for the vulnerability, it did note that for this attack to be successful, the attacker would need administrative privileges on the virtual machine in order to attach remote devices. Accordingly, it recommended that administrators never attach to a virtual machine a remote device that they don't trust.

VMware's security warning and related patch for its virtualization software followed last week's security alert from virtualization rival Xen that a vulnerability in its hypervisor software running on 64-bit Intel CPUs could be exploited by attackers to escape from a guest account and assume control of a hypervisor.

In other bug-related news, security experts are warning that an exploit module for an unpatched Microsoft vulnerability has been added to the free, open source Metasploit penetration testing tool. Microsoft Tuesday warned that the zero-day vulnerability in Microsoft XML (MSXML) Core Services was already being actively exploited in the wild. The bug allows attackers to execute arbitrary code on a compromised PC. According to news reports, the attack had already been used to compromise multiple Gmail accounts, leading Google to warn affected users that "state-sponsored attackers may be attempting to compromise your account or computer."

Finally, Qualys Friday began warning that the popular open source Web application firewall ModSecurity version 2.6.5 and ModSecurity Core Rule Set version 2.2.4--and likely also earlier versions of both--were vulnerable to a bypass attack.

Ivan Ristic, director of engineering at Qualys, wrote in a blog post, "We uncovered a flaw in ModSecurity that may lead to complete bypass of the installed rules, in the cases when ModSecurity is deployed to protect the backends where impedance mismatch is not mitigated." Likewise, a flaw in the ModSecurity Core Rule Set would allow an attacker to bypass the firewall's "content type" attacks, again owing to an impedance mismatch, he said.

Impedance mismatch refers to the firewall interpreting traffic in one way, but a backend application interpreting it differently. "When an impedance mismatch issue exists, the [Web application firewall] may be vulnerable to evasion attacks," Ristic said.

Trustwave, which is the primary custodian for ModSecurity, Friday released ModSecurity 2.6.6 and Core Rule Set 2.2.5 to patch the bugs.

More and more organizations are considering development of an in-house threat intelligence program, dedicating staff and other resources to deep inspection and correlation of network and application data and activity. In our Threat Intelligence: What You Really Need to Know report, we examine the drivers for implementing an in-house threat intelligence program, the issues around staffing and costs, and the tools necessary to do the job effectively. (Free registration required.)