VMware fixing security vulnerability in virtualization products
Security company Core Security Technologies discovered a major flaw in several VMware virtualization products that could unintentionally leave companies exposed to hackers.
The exploit allows malicious users on the Guest operating system to eventually get full control of the Host system, including enabling them to "create or modify executable files." This is possible by bypassing security controls in VMware's shared folder feature, which enables users to quickly copy documents between host and guest systems.
Core Security also released a technical description and proof of concept code that mimics how this bug can be exploited by malicious users.
"Organizations often adopt virtualization technologies with the assumption that the isolation between the host and guest systems will improve their security posture. This vulnerability provides an important wake-up call to security-concerned IT practitioners. It is signals that virtualization is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments," Core Security Technologies CTO Ivan Arce said in a statement.
VMware says it is currently working on a patch to fix this vulnerability, and has given affected users instructions on how to disable shared folders in the Global settings and for individual virtual machines.