Next Page >>
Virtual Machines
available.
3. Problem Description
a. VMware Descheduled Time Accounting driver vulnerability may cause a
denial of service in Windows based virtual machines.
The VMware Descheduled Time Accounting Service is an optional,
experimental service that provides improved guest operating system
accounting.
Steps needed to remediate this vulnerability:
Guest systems on VMware Workstation, Player, ACE, Server, Fusion
- Install the remediated version of Workstation, Player, ACE,
Server and Fusion.
- Upgrade tools in the virtual machine (virtual machine users
will be prompted to upgrade).
Guest systems on ESX 4.0, 3.5, 3.0.3, 2.5.5, ESXi 4.0, 3.5
- Install the relevant patches (see below for patch identifiers)
- Manually upgrade tools in the virtual machine (virtual machine
Steps needed to remediate this vulnerability:
Guest systems on VMware Workstation, Player, ACE, Server, Fusion
- Install the remediated version of Workstation, Player, ACE,
Server and Fusion.
- Upgrade tools in the virtual machine (virtual machine users
will be prompted to upgrade).
Guest systems on ESX 4.0, 3.5, 3.0.3, 2.5.5, ESXi 4.0, 3.5
- Install the relevant patches (see below for patch identifiers)
- Manually upgrade tools in the virtual machine (virtual machine
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02560655
Version: 2
HPSBMA02598 SSRT100314 rev.2 - HP Insight Control Virtual Machine Management for Windows, Remote Cross Site Scripting (XSS), Denial of Service (DoS), Cross Site Request Forgery (CSRF)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-10-25
Last Updated: 2010-10-28
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02560655
Version: 1
HPSBMA02598 SSRT100314 rev.1 - HP Insight Control Virtual Machine Management for Windows, Remote Cross Site Scripting (XSS), Privilege Escalation, Cross Site Request Forgery (CSRF).
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-10-25
Last Updated: 2010-10-25
Analysis
========
There is a code execution vulnerability in VMware Tools for Windows that
allows a local attacker (being able to log on locally to the virtual
machine) to plant a malicious executable with a specific name on the local
drive and wait for this executable to get launched when another user logs
on to the virtual machine.
While this scenario is usually blocked on default VMware Tools'
installations on Windows XP, Windows Vista and Windows 7 due to the
. VMWare ESX
. VMWare Server
*Vendor Information, Solutions and Workarounds*
Disable the Shared Folders feature for all virtual machines. On VMWare
Workstation this can be done by clicking on "Edit virtual machine
settings" and disabling shared folders in the Options tab.
The vendor has published a security alert with a setp-by-step description
of how to disable Shared Folders on affected products.
access a vmware guest via the console and not allow any network access at
all. One that comes to mind is an offline root CA that you can only fire up
only when you need it--a virtual offline machine. Another situation for
myself is I keep all my hacking/pen-testing tools on a vm that I can use
when I need them, and quickly move to any vm host I need to run them on. I
don't necessarily want to make that virtual machine accessible from the
network. Anyway, it is absurd to say you will never log in to the console,
sometimes you just have to.
Whether it affects you personally or not, it certainly is helpful to know
that the capability exists so you can make better informed security
non-admin on the host can still execute admin-level scripts on the guests.
I obviously did not discover this issue--the API developers provided it as a
feature-I am simply pointing out the potential danger, that it was a poor
design decision, and that there is a need to establish best practices for
virtual machine guest and host isolation.
Background
Virtual machines have become a more integral part of the computing world and
are playing an increasing role in IT infrastructures. It is not uncommon to
a. Denial of service guest to host vulnerability in a virtual device
A vulnerability in a guest virtual device driver, could allow a
guest operating system to crash the host and consequently any
virtual machines on that host.
VMware would like to thank Andrew Honig of the Department of
Defense for reporting this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
allows for injection of commands. The issue could allow a user
on the host to execute commands on the guest operating system
with root privileges.
The issue can only be exploited if VMware Tools is not fully
up-to-date. Windows-based virtual machines are not affected.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-4297 to this issue.
VMware would like to thank Nahuel Grisolia of Bonsai Information
- Philippe Langlois (France)
Building Hackerspaces Everywhere
- Philippe Langlois (France)
Virtual Machines (in)security and rootkits
- Nguyen Anh Quynh (Japan)
Memory forensic and incident response for live virtual machine (VM)
- Nguyen Anh Quynh (Japan)
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
b. WebAccess Virtual Machine Name Cross-site Scripting Vulnerability
A cross-site scripting vulnerability allows for execution of
JavaScript in the Web browser's security context for WebAccess. The
flaw is due to insufficient checking on the names of virtual
machines.
4. This is also not so much about this specific issue at hand--we can easily
block this--but also looking at the bigger picture of establishing best
practices for dealing with the guest/host relationship.
5. Arthur, it may not affect you but the way you use virtual machines is
likely not representative of the population of vmware users.
6. The argument that a secured server won't be vulnerable is fine, but
that's a pretty big assumption to make. There are few vulnerabilities ever
found that couldn't be reasonably anticipated and prevented by following
> > non-admin on the host can still execute admin-level scripts on the guests.
> >
> > I obviously did not discover this issue--the API developers provided it as a
> > feature-I am simply pointing out the potential danger, that it was a poor
> > design decision, and that there is a need to establish best practices for
> > virtual machine guest and host isolation.
>
> I don't see this as a serious problem. This is the virtual equivalent of no
> physical security. If the host OS (or an account within it) is compromised,
> of course all bets are off when it comes to a virtual machine running within
> it.
as used in Xen and possibly other products, allows local users to
trigger a heap-based buffer overflow via certain register values
that bypass sanity checks, aka QEMU NE2000 receive integer signedness
error. (CVE-2007-1321)
QEMU 0.8.2 allows local users to halt a virtual machine by executing
the icebp instruction. (CVE-2007-1322)
QEMU 0.8.2 allows local users to crash a virtual machine via the
divisor operand to the aam instruction, as demonstrated by aam 0x0,
which triggers a divide-by-zero error. (CVE-2007-1366)
> access a vmware guest via the console and not allow any network access at
> all. One that comes to mind is an offline root CA that you can only fire up
> only when you need it--a virtual offline machine. Another situation for
> myself is I keep all my hacking/pen-testing tools on a vm that I can use
> when I need them, and quickly move to any vm host I need to run them on. I
> don't necessarily want to make that virtual machine accessible from the
> network. Anyway, it is absurd to say you will never log in to the console,
> sometimes you just have to.
No offense, but regarding your offline root CA -- doesn't hosting the vm on
a network-connected machine kind of defeat the purpose? That's only two
dereference via a crafted image file (CVE-2009-0793).
Further security fixes in the JRE and in the Java API of OpenJDK:
A flaw in handling temporary font files by the Java Virtual
Machine (JVM) allows remote attackers to cause denial of service
(CVE-2006-2426).
An integer overflow flaw was found in Pulse-Java when handling Pulse
audio source data lines. An attacker could use this flaw to cause an
applet to crash, leading to a denial of service (CVE-2009-0794).
dereference via a crafted image file (CVE-2009-0793).
Further security fixes in the JRE and in the Java API of OpenJDK:
A flaw in handling temporary font files by the Java Virtual
Machine (JVM) allows remote attackers to cause denial of service
(CVE-2006-2426).
An integer overflow flaw was found in Pulse-Java when handling Pulse
audio source data lines. An attacker could use this flaw to cause an
applet to crash, leading to a denial of service (CVE-2009-0794).
untrusted code (including applets) to elevate its privileges.
CVE-2011-0864
Hotspot, the just-in-time compiler in OpenJDK, mishandled
certain byte code instructions, allowing untrusted code
(including applets) to crash the virtual machine.
CVE-2011-0865
A race condition in signed object deserialization could
allow untrusted code to modify signed content, apparently
leaving its signature intact.
a. Loading a corrupt delta disk may cause ESX to crash
If the VMDK delta disk of a snapshot is corrupt, an ESX host might
crash when the corrupted disk is loaded. VMDK delta files exist
for virtual machines with one or more snapshots. This change ensures
that a corrupt VMDK delta file cannot be used to crash ESX hosts.
A corrupt VMDK delta disk, or virtual machine would have to be loaded
by an administrator.
a qemu disk to determine its format and did not require that the format be
declared in the XML. This is considered a security problem in most
deployments and this version of libvirt will default to the 'raw' format
when the format is not specified in the XML. As a result, non-raw disks
without a specified disk format will no longer be available in existing
virtual machines.
The libvirt-migrate-qemu-disks tool is provided to aid in transitioning
virtual machine definitions to the new required format. In essence, it will
check all domains for affected virtual machines, probe the affected disks
and update the domain definition accordingly. This command will be run
III. ANALYSIS
Exploitation of this vulnerability allows an unprivileged local user to
patch and execute arbitrary code within the kernel of a Windows guest
operating system. In order to exploit the vulnerability, an attacker
needs to be able to login to the target VMware guest virtual machine
and execute a specially crafted executable.
IV. DETECTION
iDefense confirmed the existence of this vulnerability in hgfs.sys as
> accomplish some of the other attacks mentioned.
Your position seems to be that an easy automated scripting interface is a
lot more dangerous than a slightly harder indirect attack method. The
truth is that they are both scriptable and reliable. Techniques for
attacking virtual machines from the host are certainly no harder to code
than the average remote exploit that worms used to propogate. Do you
really think a worm writer who wants to compromise VMWare guests would
take advantage of a scripting interface but shy away from the task if he
had to write custom code to break into the guest?
*** SUMMARY ***
Citrix XenCenterWeb is a web interface for Citrix XenServer environment
management.
Users of XenCenterWeb will be able to see a list of Virtual Machines in the
Resource Pool, perform life-cycle actions (start, shutdown, restart, etc.),
get basic information about the hosts in the Resource Pools, information about
the VMs and also connect to the console of the VMs.
Due to poor validation of some user controlled inputs, a variety of attacks
> non-admin on the host can still execute admin-level scripts on the guests.
>
> I obviously did not discover this issue--the API developers provided it as a
> feature-I am simply pointing out the potential danger, that it was a poor
> design decision, and that there is a need to establish best practices for
> virtual machine guest and host isolation.
I don't see this as a serious problem. This is the virtual equivalent of no
physical security. If the host OS (or an account within it) is compromised,
of course all bets are off when it comes to a virtual machine running within
it.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5274
Description:
Previous versions of Sun's Java implementation are vulnerable to multiple
issues which allow attackers to break the security model of the Java
Virtual Machine and run arbitrary code as the user running Java (most often
a non-root user in a browser setting) via multiple vectors.
- ---
Copyright 2007 Foresight Linux Project
access the physical box, there's nothing more you can do. Well, that's just
not true anymore. You very well can protect a physical machine and you
should be able to protect a virtual guest from its host. There's no way a
non-admin user is going to be able to modify the RAM of a vm. And in Windows
Vista, if not already blocked, even as an administrator I would have to
explicitly allow a worm to access the RAM or disk of a virtual machine. No
worm is going to access a vm's resources without a UAC prompt coming up.
The argument that owning a physical machine automatically means game over
just isn't true. We should be able to say the same thing about a VM.
- JVM Version 6 Update 1
- JVM Version 6 Update 2
I. Background
~~~~~~~~~~~~~
Dictionary.com : "The Java Virtual Machine (JVM) is software that converts
the Java intermediate language (bytecode) into machine language and executes it.
The original JVM came from the JavaSoft division of Sun. Subsequently,
other vendors developed their own; for example, the Microsoft Virtual
Machine is Microsoft's Java interpreter. A JVM is incorporated into
a Web browser in order to execute Java applets. A JVM is also installed in a
This course will cover some of the newer aspects of pen-testing covering; Open Source Intelligence Gathering with Maltego and other Open Source tools, Scanning, Enumeration, Exploitation (Both remote and client-side) and Post-Exploitation relying heavily on the features included in the Metasploit Framework. We'll discuss our activities from both the Whitebox and Blackbox approach keeping stealth in mind for our Blackbox activities.
Web Application penetration testing will be covered as well with focus on practical exploitation of cross-site scripting (XSS), cross-site request forgery (CSRF), local/remote file includes, and SQL Injection.
The course will come with a complementary USB Harddrive loaded with the lab Virtual Machine images for you to play with so you can continue to hone your skills and learn new techniques even after the course is finished. Attendees will walk away with a current knowledge of how to pen-test both a network and a web application, all of the basic tools needed, and a set of practice exercises that they can use to improve their skills.
CORPORATE SECURITY AND INCIDENT RESPONSE CRASH COURSE
Instructors: Gabriel Lawrence, James O'Gorman, Matthew Churchill, & datagram
Includes: USB Flash Drive, Lockpicks, Materials
Next Page>>
|
