Two VMware Vulnerabilities Found, Fixed
- By Joab Jackson
- June 06, 2008
A pair of vulnerabilities found in several VMware Linux products will require
users to update these products to resecure their systems, security analysis
firm iDefense announced yesterday.
In the first
vulnerability, users can inject arbitrary code into a virtual environment
when asked by the VMware program to specify a directory for shared library modules.
The software's vmware-authd
function grants the user root privilege for this transaction.
VMware Workstation Version 188.8.131.52824 for Linux, VMware GSX Server Version
184.108.40.20697 for Linux and VMware ESX Server 220.127.116.11039 (which does not require
an operating system to run) are vulnerable.
VMware has updated
its software to eliminate this vulnerability. Alternatively, iDefense recommends
modifying the file permissions for the vmware-authd set-uid binary, either eliminating
root access entirely or restricting its use to trusted groups.
The second vulnerability, discovered by Stephen Fewer at Harmony Security,
occurs in VMware Workstation 5.5.4 with the VMware Tools package installed when
it runs a guest version of Windows. This flaw allows an unprivileged user to
send arbitrary code to the Windows kernel through a VMware driver called hgfs.sys,
which has no access controls.
"With specially constructed input, a malicious user can use functionality
within the driver to patch kernel addresses and execute arbitrary code in kernel
mode," the iDefense bulletin stated.
VMware has issued
a patch to correct the problem. Removal of the Tools package would also
eliminate the vulnerability.
Both vulnerabilities have been been submitted to the Common
Vulnerabilities and Exposures (CVE) standardized list of names for security
issues. The first has been issued the identifier CVE-2008-0967 and the second
According to iDefense, VMware was notified about the vmware-authd vulnerability
on Jan. 30 and the Tools vulnerability on Sept. 19. In both cases, the company
responded the same day. The two companies issued a joint public disclosure on
the vulnerabilities yesterday.
Joab Jackson is the chief technology editor of Government Computing News (GCN.com).