Next Page >>
virtual machine
available.
3. Problem Description
a. VMware Descheduled Time Accounting driver vulnerability may cause a
denial of service in Windows based virtual machines.
The VMware Descheduled Time Accounting Service is an optional,
experimental service that provides improved guest operating system
accounting.
Steps needed to remediate this vulnerability:
Guest systems on VMware Workstation, Player, ACE, Server, Fusion
- Install the remediated version of Workstation, Player, ACE,
Server and Fusion.
- Upgrade tools in the virtual machine (virtual machine users
will be prompted to upgrade).
Guest systems on ESX 4.0, 3.5, 3.0.3, 2.5.5, ESXi 4.0, 3.5
- Install the relevant patches (see below for patch identifiers)
- Manually upgrade tools in the virtual machine (virtual machine
Steps needed to remediate this vulnerability:
Guest systems on VMware Workstation, Player, ACE, Server, Fusion
- Install the remediated version of Workstation, Player, ACE,
Server and Fusion.
- Upgrade tools in the virtual machine (virtual machine users
will be prompted to upgrade).
Guest systems on ESX 4.0, 3.5, 3.0.3, 2.5.5, ESXi 4.0, 3.5
- Install the relevant patches (see below for patch identifiers)
- Manually upgrade tools in the virtual machine (virtual machine
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02560655
Version: 2
HPSBMA02598 SSRT100314 rev.2 - HP Insight Control Virtual Machine Management for Windows, Remote Cross Site Scripting (XSS), Denial of Service (DoS), Cross Site Request Forgery (CSRF)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-10-25
Last Updated: 2010-10-28
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02560655
Version: 1
HPSBMA02598 SSRT100314 rev.1 - HP Insight Control Virtual Machine Management for Windows, Remote Cross Site Scripting (XSS), Privilege Escalation, Cross Site Request Forgery (CSRF).
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-10-25
Last Updated: 2010-10-25
access a vmware guest via the console and not allow any network access at
all. One that comes to mind is an offline root CA that you can only fire up
only when you need it--a virtual offline machine. Another situation for
myself is I keep all my hacking/pen-testing tools on a vm that I can use
when I need them, and quickly move to any vm host I need to run them on. I
don't necessarily want to make that virtual machine accessible from the
network. Anyway, it is absurd to say you will never log in to the console,
sometimes you just have to.
Whether it affects you personally or not, it certainly is helpful to know
that the capability exists so you can make better informed security
. VMWare ESX
. VMWare Server
*Vendor Information, Solutions and Workarounds*
Disable the Shared Folders feature for all virtual machines. On VMWare
Workstation this can be done by clicking on "Edit virtual machine
settings" and disabling shared folders in the Options tab.
The vendor has published a security alert with a setp-by-step description
of how to disable Shared Folders on affected products.
Analysis
========
There is a code execution vulnerability in VMware Tools for Windows that
allows a local attacker (being able to log on locally to the virtual
machine) to plant a malicious executable with a specific name on the local
drive and wait for this executable to get launched when another user logs
on to the virtual machine.
While this scenario is usually blocked on default VMware Tools'
installations on Windows XP, Windows Vista and Windows 7 due to the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
b. WebAccess Virtual Machine Name Cross-site Scripting Vulnerability
A cross-site scripting vulnerability allows for execution of
JavaScript in the Web browser's security context for WebAccess. The
flaw is due to insufficient checking on the names of virtual
machines.
> access a vmware guest via the console and not allow any network access at
> all. One that comes to mind is an offline root CA that you can only fire up
> only when you need it--a virtual offline machine. Another situation for
> myself is I keep all my hacking/pen-testing tools on a vm that I can use
> when I need them, and quickly move to any vm host I need to run them on. I
> don't necessarily want to make that virtual machine accessible from the
> network. Anyway, it is absurd to say you will never log in to the console,
> sometimes you just have to.
No offense, but regarding your offline root CA -- doesn't hosting the vm on
a network-connected machine kind of defeat the purpose? That's only two
as used in Xen and possibly other products, allows local users to
trigger a heap-based buffer overflow via certain register values
that bypass sanity checks, aka QEMU NE2000 receive integer signedness
error. (CVE-2007-1321)
QEMU 0.8.2 allows local users to halt a virtual machine by executing
the icebp instruction. (CVE-2007-1322)
QEMU 0.8.2 allows local users to crash a virtual machine via the
divisor operand to the aam instruction, as demonstrated by aam 0x0,
which triggers a divide-by-zero error. (CVE-2007-1366)
a. Denial of service guest to host vulnerability in a virtual device
A vulnerability in a guest virtual device driver, could allow a
guest operating system to crash the host and consequently any
virtual machines on that host.
VMware would like to thank Andrew Honig of the Department of
Defense for reporting this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
> non-admin on the host can still execute admin-level scripts on the guests.
>
> I obviously did not discover this issue--the API developers provided it as a
> feature-I am simply pointing out the potential danger, that it was a poor
> design decision, and that there is a need to establish best practices for
> virtual machine guest and host isolation.
I don't see this as a serious problem. This is the virtual equivalent of no
physical security. If the host OS (or an account within it) is compromised,
of course all bets are off when it comes to a virtual machine running within
it.
dereference via a crafted image file (CVE-2009-0793).
Further security fixes in the JRE and in the Java API of OpenJDK:
A flaw in handling temporary font files by the Java Virtual
Machine (JVM) allows remote attackers to cause denial of service
(CVE-2006-2426).
An integer overflow flaw was found in Pulse-Java when handling Pulse
audio source data lines. An attacker could use this flaw to cause an
applet to crash, leading to a denial of service (CVE-2009-0794).
========================================
Issue #2:
Malicious gamecode can Execute arbitrary code outside of
Q3 Virtual Machine context
========================================
This bug has been discovered by /dev/humancontroller.
* details
a qemu disk to determine its format and did not require that the format be
declared in the XML. This is considered a security problem in most
deployments and this version of libvirt will default to the 'raw' format
when the format is not specified in the XML. As a result, non-raw disks
without a specified disk format will no longer be available in existing
virtual machines.
The libvirt-migrate-qemu-disks tool is provided to aid in transitioning
virtual machine definitions to the new required format. In essence, it will
check all domains for affected virtual machines, probe the affected disks
and update the domain definition accordingly. This command will be run
Windows applications on a virtualized Windows XP SP3 operating system
directly from the Windows 7 desktop but in doing so they may be
inadvertently increasing their risk due to a bug that makes standard
Windows anti-exploitation mechanisms ineffective.
A vulnerability found in the memory management of the Virtual Machine
Monitor makes memory pages mapped above the 2GB available with read or
read/write access to user-space programs running in a Guest operating
system. By leveraging this vulnerability it is possible to bypass
security mechanisms of the operating system such as Data Execution
Prevention (DEP) [1], Safe Structured Error Handling (SafeSEH) [2] and
> > non-admin on the host can still execute admin-level scripts on the guests.
> >
> > I obviously did not discover this issue--the API developers provided it as a
> > feature-I am simply pointing out the potential danger, that it was a poor
> > design decision, and that there is a need to establish best practices for
> > virtual machine guest and host isolation.
>
> I don't see this as a serious problem. This is the virtual equivalent of no
> physical security. If the host OS (or an account within it) is compromised,
> of course all bets are off when it comes to a virtual machine running within
> it.
untrusted code (including applets) to elevate its privileges.
CVE-2011-0864
Hotspot, the just-in-time compiler in OpenJDK, mishandled
certain byte code instructions, allowing untrusted code
(including applets) to crash the virtual machine.
CVE-2011-0865
A race condition in signed object deserialization could
allow untrusted code to modify signed content, apparently
leaving its signature intact.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5274
Description:
Previous versions of Sun's Java implementation are vulnerable to multiple
issues which allow attackers to break the security model of the Java
Virtual Machine and run arbitrary code as the user running Java (most often
a non-root user in a browser setting) via multiple vectors.
- ---
Copyright 2007 Foresight Linux Project
untrusted code (including applets) to elevate its privileges.
CVE-2011-0864
Hotspot, the just-in-time compiler in OpenJDK, mishandled
certain byte code instructions, allowing untrusted code
(including applets) to crash the virtual machine.
CVE-2011-0865
A race condition in signed object deserialization could
allow untrusted code to modify signed content, apparently
leaving its signature intact.
III. ANALYSIS
Exploitation of this vulnerability allows an unprivileged local user to
patch and execute arbitrary code within the kernel of a Windows guest
operating system. In order to exploit the vulnerability, an attacker
needs to be able to login to the target VMware guest virtual machine
and execute a specially crafted executable.
IV. DETECTION
iDefense confirmed the existence of this vulnerability in hgfs.sys as
- JVM Version 6 Update 1
- JVM Version 6 Update 2
I. Background
~~~~~~~~~~~~~
Dictionary.com : "The Java Virtual Machine (JVM) is software that converts
the Java intermediate language (bytecode) into machine language and executes it.
The original JVM came from the JavaSoft division of Sun. Subsequently,
other vendors developed their own; for example, the Microsoft Virtual
Machine is Microsoft's Java interpreter. A JVM is incorporated into
a Web browser in order to execute Java applets. A JVM is also installed in a
Published: 29 October 2007
===========
Description
===========
It is possible to cause the Java Virtual Machine to overwrite an arbitrary
memory location with an arbitrary value (repeatedly and in a stable
manner) when parsing a malformed TrueType font.
Impact: By coercing a user to view a malicious web page, an attacker could
instantiate an applet that executes arbitrary native code inside the
dereference via a crafted image file (CVE-2009-0793).
Further security fixes in the JRE and in the Java API of OpenJDK:
A flaw in handling temporary font files by the Java Virtual
Machine (JVM) allows remote attackers to cause denial of service
(CVE-2006-2426).
An integer overflow flaw was found in Pulse-Java when handling Pulse
audio source data lines. An attacker could use this flaw to cause an
applet to crash, leading to a denial of service (CVE-2009-0794).
M. Burnett:
> It doesn't matter how secure all my guests are or that I use extremely
> secure passwords or that I am current on all my patches or I am running a
> super-tight firewall on each guest. A single API call bypasses all of that.
It doesn't even take an API. If you're running a virtual machine
from your own account, your account has control over the virtual
machine. It can subvert the hardware, it can modify the contents
of virtual memory, the virtual disk image, and so on.
This is a basic but often overlooked principle with virtualization:
This may be far off course but with all the discussions of VMWare as a safe
sandbox that has broad security value it seems we have to pay attention to
the assumptions. IF the virtual machine is operating properly, it can
provide a level of sandboxing and restrict session privileges for that
instance of the machine. However, the most common exploit in software
continues to be memory leakages or buffer overflows.
It seems to me that the code that can be injected through the most common
attack vector (buffer overflows) executes with full privileges of the real
hosting machine, there would be little benefit to the virtualization. Am I
4. This is also not so much about this specific issue at hand--we can easily
block this--but also looking at the bigger picture of establishing best
practices for dealing with the guest/host relationship.
5. Arthur, it may not affect you but the way you use virtual machines is
likely not representative of the population of vmware users.
6. The argument that a secured server won't be vulnerable is fine, but
that's a pretty big assumption to make. There are few vulnerabilities ever
found that couldn't be reasonably anticipated and prevented by following
* The SMB dissector could dereference a NULL pointer. (Bug 4734)
* J. Oquendo discovered that the ASN.1 BER dissector could overrun
the stack.
* The SMB PIPE dissector could dereference a NULL pointer on some
platforms.
* The SigComp Universal Decompressor Virtual Machine could go into
an infinite loop. (Bug 4826)
* The SigComp Universal Decompressor Virtual Machine could overrun
a buffer. (Bug 4837)
_______________________________________________________________________
======
2) Bug
======
DOSBox acts as a virtual machine in which the filesystem is limited to
the folders that the user decides to mount as virtual drives and any
instruction is emulated within DOSBox without accessing the external
resources and memory.
So practically the emulated DOS program can work only inside this
"cage" (that's also why is possible to run viruses and malware without
Next Page>>
|
