host system
Among the many reasons that promote the adoption virtualization
technologies, one of the most commons today is the promise of an improved
information security posture due to the implied isolation between multiple
virtualized systems (referred as Guest systems) and the non-virtualized
systems controlling the virtualization hardware and software (the Host
system) [1].
Consequently, software bugs that could allow potential attackers to
invalidate the premise of effective isolation between Host and Guest
systems are considered security vulnerabilities with a potentially high
impact. Attacks to exploit these type of vulnerabilities has been
ESXi 3.5 ESXi not affected
ESX any ESX not affected
c. OpenProcess Local Privilege Escalation on Host System
This release fixes a privilege escalation vulnerability in host
systems. Exploitation of this vulnerability allows users to run
arbitrary code on the host system with elevated privileges.
Workstation 6.5.x any not affected
Player 2.5.x any not affected
ACE 2.5.x Windows 2.5.3 build 185404 or later
ACE 2.5.x Linux update Apache on host system *
Server 2.x any not affected
Server 1.x any not affected
Fusion 2.x Mac OS/X not affected
Due to the lack of handling of potential symbolic links the host's jail
rc.d(8) script is vulnerable to "symlink attacks". By replacing
/var/log/console.log inside the jail with a symbolic link it is
possible for the superuser (root) inside the jail to overwrite files
on the host system outside the jail with arbitrary content. This in
turn can be used to execute arbitrary commands with non-jailed
superuser privileges.
Similarly, by changing directory mount points inside the jail file
system structure into symbolic links, it may be possible for a jailed
* and starts a remote command session via POST.
*
* Syntax: php fp-lfi2rce.php <host> <path> [action] [lang] [shell]
* <host>: the hostname or IP address of your target;
* <path>: the path where FlatPress was installed;
* [action]: the action to take against the host system
(test, attack);
* [lang]: the remote language used (en, it);";
* [shell]: if already exploited, you could just have the shell name.
*
* Dependencies: php5-curl.
This update fixes a security issue related to local exploitation of
an untrusted library path vulnerability in vmware-authd. In order to
exploit this vulnerability, an attacker must have local access and
the ability to execute the set-uid vmware-authd binary on an affected
system. Exploitation of this flaw might result in arbitrary code
execution on the Linux host system by an unprivileged user.
VMware would like to thank iDefense for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-0967 to this issue.
CVE-2011-1166
A 64-bit guest can get one of its vCPU'ss into non-kernel
mode without first providing a valid non-kernel pagetable,
thereby locking up the host system.
CVE-2011-1583, CVE-2011-3262
Local users can cause a denial of service and possibly execute
arbitrary code via a crafted paravirtualised guest kernel image.
> > block this--but also looking at the bigger picture of establishing
> best
> > practices for dealing with the guest/host relationship.
>
> Here's a best practice: Don't assume that guests are protected from
> software running on the host system.
>
> > As a side note, I specialize in hardening Windows so all of these
> systems
> > have been hardened with my own hardening script that is quite
> extreme. These
CVE-2010-0309
Marcelo Tosatti fixed an issue in the PIT emulation code in the
KVM subsystem that allows privileged users in a guest domain to
cause a denial of service (crash) of the host system.
CVE-2010-0419
Paolo Bonzini found a bug in KVM that can be used to bypass proper
permission checking while loading segment selectors. This
IO.
A flaw in VMware's CPU hardware emulation could allow the
virtual CPU to jump to an incorrect memory address. Exploitation of
this issue on the guest operating system does not lead to a
compromise of the host system but could lead to a privilege
escalation on guest operating system. An attacker would need to
have a user account on the guest operating system.
Affected
64-bit Windows and 64-bit FreeBSD guest operating systems and
in the context of the vmx process on the host.
In order to exploit this vulnerability, the VMware system must have
at least one folder shared. Two things must happen for a folder to
be shared. 1) Shared folders must be enabled, and 2) a folder must
be selected from the host system to be shared. No folders are shared
by default in any version of our products, which means this
vulnerability is not exploitable by default. Workstation 6.x,
Player 2.x, and ACE 2.x have shared folders disabled by default.
VMware Server, ESX and ESXi do not provide the shared folders feature.
> 4. This is also not so much about this specific issue at hand--we can easily
> block this--but also looking at the bigger picture of establishing best
> practices for dealing with the guest/host relationship.
Here's a best practice: Don't assume that guests are protected from
software running on the host system.
> As a side note, I specialize in hardening Windows so all of these systems
> have been hardened with my own hardening script that is quite extreme. These
> are by no means weak targets.
are able to enter, any user with access to edit XSLT stylesheets can
cause Cascade Server to execute arbitrary Java code. Using the
java.lang.Runtime class, Java can run shell commands.
While the privilege level of the Cascade Server process may prevent
an attacker from gaining complete control of the host system, that
privilege level is necessarily sufficient to gain full control of
Cascade Server.
SOLUTION
========
Impact
======
Remote attackers within a guest system could possibly exploit these
vulnerabilities to execute code on the host system with elevated
privileges or to cause a Denial of Service.
Workaround
==========
CVE-2010-0309
Marcelo Tosatti fixed an issue in the PIT emulation code in the
KVM subsystem that allows privileged users in a guest domain to
cause a denial of service (crash) of the host system.
CVE-2010-0410
Sebastian Krahmer discovered an issue in the netlink connector
subsystem that permits local users to allocate large amounts of
|
