<< Previous Next >>
virtual machines
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5274
Description:
Previous versions of Sun's Java implementation are vulnerable to multiple
issues which allow attackers to break the security model of the Java
Virtual Machine and run arbitrary code as the user running Java (most often
a non-root user in a browser setting) via multiple vectors.
- ---
Copyright 2007 Foresight Linux Project
After the update or patch is applied, VMware Guest Tools must
be updated in any pre-existing Windows-based Guest Operating
System. The XPDM and WDDM drivers are part of Tools.
Windows-Based Virtual Machines that have moved to Workstation
8 or Player 4 from a lower version of Workstation or Player
are affected unless:
- They were moved from Workstation 7.1.5 or Player 3.1.5,
a. Loading a corrupt delta disk may cause ESX to crash
If the VMDK delta disk of a snapshot is corrupt, an ESX host might
crash when the corrupted disk is loaded. VMDK delta files exist
for virtual machines with one or more snapshots. This change ensures
that a corrupt VMDK delta file cannot be used to crash ESX hosts.
A corrupt VMDK delta disk, or virtual machine would have to be loaded
by an administrator.
M. Burnett:
> It doesn't matter how secure all my guests are or that I use extremely
> secure passwords or that I am current on all my patches or I am running a
> super-tight firewall on each guest. A single API call bypasses all of that.
It doesn't even take an API. If you're running a virtual machine
from your own account, your account has control over the virtual
machine. It can subvert the hardware, it can modify the contents
of virtual memory, the virtual disk image, and so on.
This is a basic but often overlooked principle with virtualization:
III. ANALYSIS
Exploitation of this vulnerability allows an unprivileged local user to
patch and execute arbitrary code within the kernel of a Windows guest
operating system. In order to exploit the vulnerability, an attacker
needs to be able to login to the target VMware guest virtual machine
and execute a specially crafted executable.
IV. DETECTION
iDefense confirmed the existence of this vulnerability in hgfs.sys as
dereference via a crafted image file (CVE-2009-0793).
Further security fixes in the JRE and in the Java API of OpenJDK:
A flaw in handling temporary font files by the Java Virtual
Machine (JVM) allows remote attackers to cause denial of service
(CVE-2006-2426).
An integer overflow flaw was found in Pulse-Java when handling Pulse
audio source data lines. An attacker could use this flaw to cause an
applet to crash, leading to a denial of service (CVE-2009-0794).
This may be far off course but with all the discussions of VMWare as a safe
sandbox that has broad security value it seems we have to pay attention to
the assumptions. IF the virtual machine is operating properly, it can
provide a level of sandboxing and restrict session privileges for that
instance of the machine. However, the most common exploit in software
continues to be memory leakages or buffer overflows.
It seems to me that the code that can be injected through the most common
attack vector (buffer overflows) executes with full privileges of the real
hosting machine, there would be little benefit to the virtualization. Am I
- JVM Version 6 Update 1
- JVM Version 6 Update 2
I. Background
~~~~~~~~~~~~~
Dictionary.com : "The Java Virtual Machine (JVM) is software that converts
the Java intermediate language (bytecode) into machine language and executes it.
The original JVM came from the JavaSoft division of Sun. Subsequently,
other vendors developed their own; for example, the Microsoft Virtual
Machine is Microsoft's Java interpreter. A JVM is incorporated into
a Web browser in order to execute Java applets. A JVM is also installed in a
possible to manipulate data pointers within the VMX process.
This vulnerability may allow a guest user to crash the VMX
process or potentially execute code on the host.
Workaround
- Configure virtual machines to use less than 4 GB of memory.
Virtual machines that have less than 4GB of memory are
not affected.
Mitigation
- Do not allow untrusted users access to your virtual machines.
required domain name.
CVE-2011-3563
The Java Sound component did not properly check for array
boundaries. A malicious input or an untrusted Java application
or applet could use this flaw to cause Java Virtual Machine to
crash or disclose portion of its memory.
CVE-2011-5035
The OpenJDK embedded web server did not guard against an
excessive number of a request parameters, leading to a denial
* The SMB dissector could dereference a NULL pointer. (Bug 4734)
* J. Oquendo discovered that the ASN.1 BER dissector could overrun
the stack.
* The SMB PIPE dissector could dereference a NULL pointer on some
platforms.
* The SigComp Universal Decompressor Virtual Machine could go into
an infinite loop. (Bug 4826)
* The SigComp Universal Decompressor Virtual Machine could overrun
a buffer. (Bug 4837)
_______________________________________________________________________
a qemu disk to determine its format and did not require that the format be
declared in the XML. This is considered a security problem in most
deployments and this version of libvirt will default to the 'raw' format
when the format is not specified in the XML. As a result, non-raw disks
without a specified disk format will no longer be available in existing
virtual machines.
The libvirt-migrate-qemu-disks tool is provided to aid in transitioning
virtual machine definitions to the new required format. In essence, it will
check all domains for affected virtual machines, probe the affected disks
and update the domain definition accordingly. This command will be run
it as a
> feature-I am simply pointing out the potential danger, that it was a
poor
> design decision, and that there is a need to establish best practices
for
> virtual machine guest and host isolation.
I don't see this as a serious problem. This is the virtual equivalent
of no
physical security. If the host OS (or an account within it) is
compromised,
untrusted code (including applets) to elevate its privileges.
CVE-2011-0864
Hotspot, the just-in-time compiler in OpenJDK, mishandled
certain byte code instructions, allowing untrusted code
(including applets) to crash the virtual machine.
CVE-2011-0865
A race condition in signed object deserialization could
allow untrusted code to modify signed content, apparently
leaving its signature intact.
* Smarter and Dumber fuzzing for binary only vulnerability hunt
* Static and Dynamic binary or source-based analysis
* Hacking mobile: defeating iOS and Android security
* Kernel land exploits
* New advances in Attack frameworks and automation
* Virtual Machines and Virtual Infrastructures evasion
* Governmentalization of hacking projection force
[*] Attacking Infrastructures
* Bank & insurance: Swift and national electronic fund transfer technologies
* Telecom attacks
Windows applications on a virtualized Windows XP SP3 operating system
directly from the Windows 7 desktop but in doing so they may be
inadvertently increasing their risk due to a bug that makes standard
Windows anti-exploitation mechanisms ineffective.
A vulnerability found in the memory management of the Virtual Machine
Monitor makes memory pages mapped above the 2GB available with read or
read/write access to user-space programs running in a Guest operating
system. By leveraging this vulnerability it is possible to bypass
security mechanisms of the operating system such as Data Execution
Prevention (DEP) [1], Safe Structured Error Handling (SafeSEH) [2] and
Problem Description:
Qemu 0.9.1 and earlier does not perform range checks for block
device read or write requests, which allows guest host users with
root privileges to access arbitrary memory and escape the virtual
machine. (CVE-2008-0928)
The updated packages have been patched to prevent this.
_______________________________________________________________________
References:
Debian-specific: no
CVE Id(s) : CVE-2010-2994 CVE-2010-2995
Several implementation errors in the dissector of the Wireshark network
traffic analyzer for the ASN.1 BER protocol and in the SigComp Universal
Decompressor Virtual Machine may lead to the execution of arbitrary code.
For the stable distribution (lenny), these problems have been fixed in
version 1.0.2-3+lenny10.
For the unstable distribution (sid), these problems have been fixed in
============================================================
WORKSHOPS
* Assurable and Usable Security Configuration
* Digital Rights Management
* Virtual Machine Security
* Security and Artificial Intelligence
* Secure Execution of Untrusted Code
* Privacy in the Electronic Society
* Cloud Computing Security
* Digital Identity Management
> Only if you *choose* to run the userland utilities. If you don't, all the
> queuing in the world won't get those commands executed.
>
> > However, I propose an alternate attack scenario: if the host system is
> > compromised, then the program is able to write to the VMware Disk
> > files or the physical partition that the virtual machines are
> > installed in. This means that you can write arbitrary things to it or
> > change files around, so you can have the same effect if you, say, add
> > a command to the root user's crontab...
>
> Which is my point. If you don't have security on the host, you're already
=
=
=
=
========================================================================
Workshop on Virtual Machine Security (VMSec 2009)
http://csis.gmu.edu/VMSec09/
This workshop, the first of its kind to deal exclusively with virtual
machine security, will tackle the important research topics in
virtualization security. This workshop aims to bring together leading
interaction is required to exploit this vulnerability in that the target
must visit a malicious page.
The specific flaw exists in the handling of NTLM authentication
requested generated in the context of the Java Runtime. The Java Virtual
Machine will ignore browser policies and respond to WWW-Authenticate
requests from the Internet zone resulting in the leakage of NTLM
authentication hashes to attackers.
-- Vendor Response:
Oracle has issued an update to correct this vulnerability. More
Both the Enomaly ECP implementation and the VMcasting protocol itself are
believed to be vulnerable.
Background
Enomaly ECP is management software for virtual machines in cloud computing
environments.
Description
Sam Johnston (http://samj.net/) of Australian Online Solutions
to perform their functions if the malware file is missing read, write or
delete permissions. They might not scan the file contents due to missing
read permission, not delete it due to missing Delete permission or not
desinfect it due to missing Write Data permission or not move to quarantine.
For test Windows XP Professional SP3 (running in a virtual machine
provided by Virtualbox v4.1.4) and the Back Orifice 2000 server file
(bo2k.exe) ( http://www.bo2k.com/ ) as a test file were used (with file
permissions set to only allow execution).
Background:
==========
ActionScript code is compiled into ActionScript Byte Code segments,
loaded by AVM2 (ActionScript Virtual Machine 2).
These segments are described by the abcFile structure:
abcFile
{
u16 minor_version
u16 major_version
d. VMware VIX Application Programming Interface (API) Memory Overflow
Vulnerabilities
The VIX API (also known as "Vix") is an API that lets users write scripts
and programs to manipulate virtual machines.
Multiple buffer overflow vulnerabilities are present in the VIX API.
Exploitation of these vulnerabilities might result in code execution on
the host system or on the service console in ESX Server from the guest
operating system.
======================================================================
3) Vendor's Description of Software
"VMware Workstation makes it simple to create and run multiple virtual
machines on your desktop or laptop computer. ... You can even use
Workstation 6.5 to record and play video files ..."
Product Link:
http://www.vmware.com/products/ws/
2. Impact Information
Background
Enomaly ECP (formerly Enomalism) is management software for virtual machines.
Description
Sam Johnston of Australian Online Solutions reported that enomalism2.sh uses
the /tmp/enomalism2.pid temporary file in an insecure manner.
======================================================================
3) Vendor's Description of Software
"VMware Workstation makes it simple to create and run multiple virtual
machines on your desktop or laptop computer. ... You can even use
Workstation 6.5 to record and play video files ..."
Product Link:
http://www.vmware.com/products/ws/
Document released: 08.01.08
-- Overview --
Sun JRE is described [1] as "the Java APIs, Java Virtual Machine
(HotSpot VM), and other components necessary to run applets and
applications written in the Java programming language".
The software provides a virtualisation layer that allows java
applications to be run across platforms and operating systems. These
<<Previous Next>>
|
