VMware is rejigging the way it shares memory among virtual machines, after turning off Transparent Page Sharing (TPS) because academics identified insecurities in the technology.
The academic paper is entitled “Wait a minute! A fast, Cross-VM attack on AES”
https://eprint.iacr.org/2014/435.pdf
slightly different opinions
http://vsphere-land.com/news/why-the-vmware-vsphere-tps-vulnerability-is-a-big-deal.html
http://wahlnetwork.com/2014/10/20/tps-vulnerability/
https://www.vmware.com/security/advisories/VMSA-2013-0003.html
VMware vCenter Server, ESXi and ESX contain a vulnerability in the handling of the Network File Copy (NFC) protocol. To exploit this vulnerability, an attacker must intercept and modify the NFC traffic between vCenter Server and the client or ESXi/ESX and the client. Exploitation of the issue may lead to code execution.
To reduce the likelihood of exploitation, vSphere components should be deployed on an isolated management network
https://www.vmware.com/security/advisories/VMSA-2013-0002.html
VMware ESX, Workstation, Fusion, and View address a vulnerability in the VMCI.SYS driver which could result in a privilege escalation on Windows-based hosts and on Windows-based Guest Operating Systems.
(local escalation)
https://www.vmware.com/security/advisories/VMSA-2012-0011.html
Input data is not properly validated when loading Checkpoint files. This may allow an attacker with the ability to load a specially crafted Checkpoint file to execute arbitrary code on the host.
Mitigation - Do not import virtual machines from untrusted sources.
https://www.vmware.com/security/advisories/VMSA-2012-0009.html
VMware host memory overwrite vulnerability (function pointers)
Due to a flaw in the handler function for RPC commands, it is possible to manipulate function pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.
Mitigation: Do not allow untrusted users access to your virtual machines. Root or Administrator level permissions are not required to exploit this issue.
https://www.vmware.com/security/advisories/VMSA-2012-0007.html
The access control list of the VMware Tools folder is incorrectly set. Exploitation of this issue may lead to local privilege escalation on Windows-based Guest Operating Systems.
(local escalation)
https://www.vmware.com/security/advisories/VMSA-2012-0006.html
A flaw in the way port-based I/O is handled allows for modifying Read-Only Memory that belongs to the Virtual DOS Machine. Exploitation of this issue may lead to privilege escalation on Guest Operating Systems that run Windows 2000, Windows XP 32-bit, Windows Server 2003 32-bit or Windows Server 2003 R2 32-bit.
(local escalation)
https://www.vmware.com/security/advisories/VMSA-2012-0005.html
VMware Tools Display Driver Privilege Escalation
(local escalation on windows)
...
https://www.vmware.com/security/advisories/VMSA-2009-0015.html
local privilege escalation https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2267
and also read files from host https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3733
et plein de liens sur des papiers et vulns, historiques, ... en particulier vmware
virt en général (intel)
-
An Empirical Study into the Security Exposure to ... - Tavis Ormandy
http://taviso.decsystem.org/virtsec.pdf -
Virtualisation security and the Intel privilege model Tavis Ormandy, Julien Tinnes Nov 2009
https://www.cr0.org/paper/jt-to-virtualisation_security.pdf -
Sécurité et Virtualisation - OSSIR
http://www.ossir.org/jssi/jssi2009/3A.pdf -
Breaking virtualization by switching to Virtual 8086 mode
http://www.hackitoergosum.org/2010/HES2010-jbrossard-Breaking-Virtualization-by-switching-to-Virtual-8086-mode.pdf- URL/infos extraites:
Privilege escalation on the host: VMware Tools HGFS Local Privilege Escalation Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=712
Privilege escalation on the Guest:
CVE-2009-2267 « Mishandled exception on page fault in VMware » Tavis Ormandy and Julien Tinnes
Attacking other guests: Vmare workstation guest isolation weaknesses (clipboard transfer)
http://www.securiteam.com/securitynews/5GP021FKKO.html
DoS (Host + Guests)
CVE-2007-4591 CVE-2007-4593 (bad ioctls crashing the Host+Guests)
Escape to host Rafal Wojtczuk (Invisible things, BHUS 2008)
IDEFENSE VMware Workstation Shared Folders Directory Traversal Vulnerability (CVE-2007-1744) - runs 8086 (v86) programs on amd64: http://v86-64.sourceforge.net/
et prez similaires http://fr.slideshare.net/endrazine/hackinthebox-breaking-virtualization-by-any-means
http://fr.slideshare.net/kbour23/d1-t2-jonathan-brossard-breaking-virtualization-by-switching-to-virtual-8086-mode - URL/infos extraites:
-
http://www.pauldotcom.com/2007/07/31/escaping_from_the_virtualizati.html
-
A Survey on the Security of Virtual Machines (un papier résumé de 2009)
http://www.cs.wustl.edu/~jain/cse571-09/ftp/vmsec/
Attaques cryptographiques de type Side-Channel entre des machines virtuelles
http://www.secuobs.com/news/05112012-cross_vm_side_channel_attacks.shtml#contenu
-
vmware - qques considerations et liens
http://security.stackexchange.com/questions/3056/how-secure-are-virtual-machines-really-false-sense-of-security -
vswitch
http://bradhedlund.com/2010/02/10/vswitch-illusion-dmz-virtualization/
old stuff
- Cloudburst: Hacking 3D (and Breaking Out of VMware)
http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf
papier cité pour comprendre SVGA : GPU Virtualization on VMware’s Hosted I/O http://www.usenix.org/event/wiov08/tech/full_papers/dowty/dowty.pdf
advisories
- http://www.vmware.com/security/advisories/VMSA-2013-0002.html
VMware ESX/ESXi 'VMCI.SYS' Driver Flaw Lets Local Users Gain Elevated Privileges
détails http://www.cylance.com/labs/advisories/02-08-2013-Advisory.shtml (voir impression dans pdf)
pas la première fois que ça arrive: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1147
VMware tools
-- Install & config guide pdf page 50, et suivantes
Virtual Machine Communication Interface (VMCI) pour
ESXi 5.0 et versions antérieures Cette configuration s'applique à ESXi 5.0 et
aux machines virtuelles précédentes. Il ne s'applique pas aux ESXi 5.1 et aux
machines virtuelles plus récentes.
Si l'interface VMCI n'est pas limitée, une machine virtuelle peut détecter les
autres machines virtuelles et être détectée par celles-ci avec la même option
activée dans le même hôte. Le logiciel intégré personnalisé qui utilise cette
interface peut contenir des failles de sécurité inattendues qui peuvent être
Installation et configuration de VMware Tools
50 VMware, Inc.
exploitées. En outre, une machine virtuelle peut détecter le nombre machines
virtuelles qui se trouvent dans un même système ESX/ESXi en enregistrant la
machine virtuelle. Cette information pourrait être utilisée à des fins
malveillantes. La machine virtuelle peut être exposée aux autres dans le
système dès lors qu'au moins un programme est connecté à l'interface de socket
VMCI. Utilisez le paramètre .vmx pour limiter l'interface VMCI :
vmci0.unrestricted = "FALSE"
Security of the VMCI Device
http://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vmci.pg.doc%2FvsockSecurity.7.1.html
VMware ESX, Workstation, Fusion, and View VMCI privilege escalation vulnerability
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1406
Analysis: http://www.cylance.com/labs/advisories/02-08-2013-Advisory.shtml
PoC: https://rstforums.com/forum/66198-vmci-sys-ioctl-host-guest-privilege-elevation-cve-2013-1406-a.rst
blabla MS sur workstation: http://technet.microsoft.com/en-us/security/msvr/msvr13-003
VMware Scripts & Resources
https://s3.amazonaws.com/virtuallyghetto-download/hidden_vmx_params.html
autre liste
http://sanbarrow.com/vmx/vmx-advanced.html
VMware Security Certifications & Validations (see also the guides tab for hardening guides)
https://www.vmware.com/support/support-resources/certifications.html
résumé
VMware ESX 4.1, ESXi 4.1 and vCenter Server 4.1have achieved Evaluation Assurance Level 4+ (EAL4+)certification in December 2010.
VMware vSphere 5.0 has achieved Common Criteria Certificationat EAL4+:
Le reste en cours
VMCI sockets
http://www.vmware.com/support/developer/vmci-sdk/
pdf et lien http://pubs.vmware.com/vsphere-51/topic/com.vmware.vmci.pg.doc/vsockPreface.html
http://pubs.vmware.com/vsphere-51/topic/com.vmware.ICbase/PDF/ws8x_esx51_vmci_sockets.pdf
VMCI SDK (old truc)
http://pubs.vmware.com/vmci-sdk/
http://www.phoronix.com/scan.php?page=news_item&px=MTI3MTE
good old backdoor
https://sites.google.com/site/chitchatvmback/backdoor
http://articles.sysprogs.org/kdvmware/guestrpc.shtml / http://articles.sysprogs.org/kdvmware/guestrpc/
prez HSC http://www.ossir.org/sur/supports/2008/OSSIR_VMware_20080807.pdf
vsock / vmci in kernel
https://lwn.net/Articles/481611/
https://lwn.net/Articles/531950/
Subject: [RFC 0/5] Introduce VM Sockets virtio transport http://www.spinics.net/lists/kvm/msg93288.html
Unrelated, but interesting: http://trac.evolix.net/infogerance/wiki/ServeurVMware