Martin McKeay

Escaping a virtual machine

By Martin McKeay
July 31, 2007 12:13 PM EDT
Virtual Machines are all the rage right now, but that might be about to change.  One of the main attractions to VM's was the knowledge that even if the virtual machine was compromised, the host OS was secure.   Or at least it was until now.  Ed Skoudis and Tom Liston from Intelguardians have discovered a way to crash the guest operating system and run arbitrary code on the host operating system.  They demonstrated their technique to attendees at SANSFIRE 2007 last Friday, though the specific details of the compromise were kept secret from the audience.

There have been VMWare vulnerabilities discovered before, but this is the first vulnerability that allows the host OS to be compromised.  It's a serious concern, since many VM users haven't adequately protected their host OS, expecting the virtual aspect of the systems to protect their host OS.  This isn't just a VMWare concern either, since many of the different virtual server products in use today use very similar code, and this vulnerability attacks that base.  What's currently a VMWare issue could apparently be ported to other virtual machine programs with very little modification.

The only good news in this scenario is that it may not work on a fully patched installation.  Skoudis and Liston were being cagey about the patching level of the system they were working on and wouldn't confirm that the patching was completely up to date.  It should go without saying that we all need to be as up to date as possible on patching, but VM images often seem to be the lowest priority for patching in many shops.

This doesn't mean that VMWare and virtual machines in general are insecure, but it does mean that IT shops will need to pay the same attention to their VM's as they do to any other computer system.   We can't rely on quickly rebuilding a VM if it gets compromised, since the compromised guest OS can now lead to a compromised host OS.