LAS VEGAS – BLACK HAT USA – Researchers discovered that a VMware API can be abused by vSphere users with limited privileges to access the guest operating system without authentication. VMware has provided workarounds for preventing potential attacks exploiting the vulnerability.
VMware vSphere is a virtualization product that includes ESXi hypervisors, vCenter Server for managing vSphere environments, and the vSphere Client, which is used to manage virtual machines (VMs).
The security issue was discovered by employees of data center and cloud security firm GuardiCore while analyzing VMware’s Virtual Infrastructure eXtension (VIX) API, which helps users write scripts to automate VM operations and manipulate files within the guest OS.
The VIX API includes functionality that allows direct access to the guest OS. While this functionality is primarily designed for use by VMware Site Recovery Manager, VMware Update Manager and VMware Infrastructure Navigator, GuardiCore researchers discovered that it can also be abused by vSphere users with limited privileges to access the guest OS.
In a presentation at the Black Hat security conference in Las Vegas, Ofri Ziv, VP of research at GuardiCore, revealed that an attacker can exploit the vulnerability to gain full control of the guest OS, including for arbitrary code execution with elevated privileges, lateral movement across the targeted data center (including to isolated networks), and data theft.
Ziv pointed out that such an attack is unlikely to be detected by many security products as it doesn’t leave any trace. The flaw impacts guest machines running ESXi 5.5 and VMware tools prior to version 10.1.0.
In order to exploit this flaw, the attacker requires basic knowledge of how the VIX API works and a limited vSphere account. This account needs to have the “Virtual Machine -> Configuration -> Advanced,” “Virtual Machine -> Interaction -> Guest Operating System Management by VIX API” and the “Host -> Configuration -> Advanced Settings” privileges for the attack to work.
This means that the attacker would most likely be a malicious insider. The vulnerability can be highly useful for breaking segmentation, which is a critical requirement for virtual environments. Even VMware tells customers that guest VMs should be isolated from the host and other guests running on the same host.
Ziv told SecurityWeek in an interview that isolation between VMs and their host is particularly important in financial institutions and other organizations where IT teams should not be allowed to access the sensitive data stored inside the VMs they manage.
VMware, which assigned this vulnerability the identifier CVE-2017-4919 and an “important” severity rating, published an advisory on Thursday. The company informed customers that vCenter Server versions 5.5, 6.0 and 6.5 are affected, and provided workarounds for VMs running on ESXi 6.0. The problematic functionality in the VIX API can be disabled manually in the case of VMware Tools 9.10.0 through 10.0.x. Starting with VMware Tools 10.1.0, the function has been disabled.
GuardiCore has released an open source risk assessment tool, PoC exploits, and a fork of open-vm-tools to address the vulnerability in ESXi 5.5. The company has also published a blog post containing technical details.