daveinpoway
join:2006-07-03
Poway, CA | Critical VMWare bug lets attackers zap "real" Windows
Read the article here: »www.infoworld.com/article/08/02/···08-02-25 |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Hewitt, NJ
clubs:
 ·Optimum Online
 ·Vonage
| As of Sunday, there was no patch available for the flaw, which affects VMware's Windows client virtualization programs, including Workstation, Player, and ACE. The company's virtual machine software for Windows servers and for Mac- and Linux-based hosts are not at risk....
VMware has not posted a fix, but it instead told users to disable shared folders.
The Palo Alto, Calif.-based company also made it clear that the vulnerability isn't present in its server line of virtual machine software; VMware Server and ESX Server do not use shared folders. Newer versions of VMware's Windows client virtualization tools also disable shared folders by default, the company added. Users must manually turn on the feature to be vulnerable....
--
10,626 DEADLY TERROR ATTACKS SINCE 9/11~~TEAM DISCOVERY
Can't feel you anymore, don't need you anymore, don't believe you anymore, I don't need you anymore
|
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to daveinpoway
"Workaround
Until VMware releases a patch to fix this issue, users of affected Windows-hosted VMware products should disable shared folders."
»kb.vmware.com/selfservice/micros···=1004034
I use shared folders all the time so I hope VMWare issues a patch soon!
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
EGeezer
Spring is here
Premium
join:2002-08-04
Central Ohio
clubs:
·RoadRunner Cable
·AT&T CallVantage
| reply to daveinpoway
Well, I guess that takes care of the "I'm running in a virtual machine, so my system is unhackable" issue. It's no longer the silver bullet it was touted to be by some folks.
Core security bulletin with details, POC information, CVE and Bugtraq links, affected applications, workarounds and patch status here;
»www.coresecurity.com/?action=item&id=2129: |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| said by EGeezer  :Well, I guess that takes care of the "I'm running in a virtual machine, so my system is unhackable" issue. It's no longer the silver bullet it was touted to be by some folks. That article is wrong because VMWareStation 6 does NOT HAVE SHARED FILES ENABLED BY DEFAULT. That article should have quoted the vendor correctly. I also think it irresponsible of coresecurity to publicize this before the vendor has a patch ready. I have Workstation 5.5 where shared folder is enabled by default and I created a folder to shared between the host and the guest so I was vulnerable to this until I turned off shared folders which took about 2 seconds. I mention this because I really don't appreciate some security group looking for publicity making this public before VMWare had a patch.
"Response
By default, the shared folders feature is disabled in Workstation 6, Player 2, and ACE 2. In order to exploit this vulnerability, the virtual machine must have the shared folders feature manually enabled and at least one folder configured for sharing between the host and guest. Given the requirements of the vulnerability, it cannot be exploited by default in Workstation 6, Player 2, and ACE 2.
Workstation 5, Player 1, and ACE 1 enable the shared folders feature by default, but exploiting this vulnerability still requires at least one folder to be configured as shared between the host and guest. Given the requirements of the vulnerability, it cannot be exploited by default in Workstation 5, Player 1, and ACE 1.
The issue affects all currently supported Windows-hosted versions of VMware Workstation, ACE, and Player. The issue does not affect VMware ESX Server or VMware Desktop Infrastructure products. There have been no reports of this issue occurring in customer environments."
»kb.vmware.com/selfservice/micros···=1004034
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
VmWare
@giantlogic.net
thumbs down from:
Cabal
| "I also think it irresponsible of coresecurity to publicize this before the vendor has a patch ready."
yeah how dare they report the news, shame on them |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
Erie, PA
 ·Verizon Online DSL
| reply to Mele20
quote:
I mention this because I really don't appreciate some security group looking for publicity making this public before VMWare had a patch.
Maybe you should read the Additional Information at the bottom of this page before you criticize Core Security.
»www.coresecurity.com/?action=item&id=2129:
The dates are what you want to pay attention to.
--
"There is nothing more deceptive than an obvious fact". - Sherlock Holmes |
|
Bubba1
Less is More
Premium
join:2006-09-21
| reply to daveinpoway
Well, imagine that. Though it's been on my "to do" list for a while, I've just recently (days) "discovered" VMWare and it's amazing capabilities.
I'm thinking this is but a small bump-in-the-road delay to an already made purchase decision for Windows Workstation. Heck, I may even buy some stock.
The clouds will clear and the sun will shine bright again .. soon. Birds will probably chirp too. 
--
"Fast is fine, but accuracy is everything" --Wyatt Earp |
|
EGeezer
Spring is here
Premium
join:2002-08-04
Central Ohio
clubs:
·RoadRunner Cable
·AT&T CallVantage
edit:
February 26th, @11:59PM
| reply to Grail Knight
said by Grail Knight : said by Mele20 :
I mention this because I really don't appreciate some security group looking for publicity making this public before VMWare had a patch.
Maybe you should read the Additional Information at the bottom of this page before you criticize Core Security. » www.coresecurity.com/?action=item&id=2129:The dates are what you want to pay attention to. Agreed - there has been plenty of time and several missed dates on the part of the vendor. The history is one of delays and missed commitments.
Mele's assertion
That article is wrong because VMWareStation 6 does NOT HAVE SHARED FILES ENABLED BY DEFAULT. That article should have quoted the vendor correctly.
is in error - see
said by IW article :
The Palo Alto, Calif.-based company also made it clear that the vulnerability isn't present in its server line of virtual machine software; VMware Server and ESX Server do not use shared folders. Newer versions of VMware's Windows client virtualization tools also disable shared folders by default, the company added. Users must manually turn on the feature to be vulnerable.
It also links to the vendor's response as well as the disclosure page, Whether shared folders is enabled by default or by the user makes no difference as to whether the vulnerability exists. If the user has shared folders enabled with one of the affected products on the specified platform, the vulnerability exists. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Grail Knight
said by Grail Knight : quote:
I mention this because I really don't appreciate some security group looking for publicity making this public before VMWare had a patch.
Maybe you should read the Additional Information at the bottom of this page before you criticize Core Security. » www.coresecurity.com/?action=item&id=2129:The dates are what you want to pay attention to. I read that before I posted. There is obviously a strained relationship there. Core Security claims all that interaction with VMWare but even so they cannot get their facts straight in the article...uh huh...yeah....They should have waited until March 15 when the patch should be ready. There was no need for them to make VMWare users vulnerable if they don't turn off file sharing now. If they had kept their mouth shut since VMWare reports no users affected adversely then we could have continued to use file sharing while waiting for the patch. Now though that the weakness has been blared all over the place prematurely some hacker will try and take advantage so we have to turn off file sharing until the patch is issued. The patch is already out for some products.
VMWare Workstation and Player are outstanding products and while Core Security tries to intimate that VMWare is dragging their heels in fixing this, I don't believe that is true.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to EGeezer
Core Security MISSTATED the issue. Read their article again if you can't see that. I repeat that File sharing is NOT enabled by default on VMWAre Workstation 6 or Player2. So you are wrong. There is NO vulnerability in Workstation 6 or Player 2 unless the user deliberately makes him/herself vulnerable by enabling file sharing and setting up at least one folder to be shared. Even in Ver 5.5 of Workstation and ver. 1 of Player where file sharing is checked by default there still is no vulnerability unless the user chooses to set up file sharing and makes at least one file to be shared. That damn article and other parrots on the internet are trying to make it sound like VMWare has this huge hole. Nope. The problem exists ONLY for a sub category of users. Core Security wants to stick to VMWare and so they behaved very irresponsibly and have now made people like me vulnerable because they publicized this. Thus, I turned off file sharing. Although, of course, the moment I want to share a file it goes back on long enough to share the file because drag and drop has limitations.
This is all about deliberately trying to damage VMWare and get publicity. The same thing happens to Microsoft.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
Erie, PA
·Verizon Online DSL
edit:
February 27th, @10:08AM
| reply to Mele20
quote:
I read that before I posted. There is obviously a strained relationship there.
I see no strain at all but a failure by VMWare to maintain a dialog with Core Security which has resulted in VMWare being in the hot seat now and you do not like it.
quote:
Now though that the weakness has been blared all over the place prematurely some hacker will try and take advantage so we have to turn off file sharing until the patch is issued
Core Security gave the devs of VM Ware ample time to get their patch released. To bad VMWare failed to maintain a dialog.
quote:
VMWare Workstation and Player are outstanding products and while Core Security tries to intimate that VMWare is dragging their heels in fixing this, I don't believe that is true.
Believe what ever you want to but the facts are are there for all to see. That is those that want to see them.
Kudo to Core Security.
Edit* Removed one comment and changed some wording.
--
"There is nothing more deceptive than an obvious fact". - Sherlock Holmes |
|
diver196
join:2003-12-09 | reply to daveinpoway
According to the Vmware kb article, the latest version of Workstation 5 (5.5.5) is not affected. |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Hewitt, NJ
clubs:
·Optimum Online
·Vonage
| reply to Mele20
said by Mele20 :....I repeat that File sharing is NOT enabled by default on VMWAre Workstation 6 or Player2. So you are wrong. There is NO vulnerability in Workstation 6 or Player 2 unless the user deliberately makes him/herself vulnerable by enabling file sharing and setting up at least one folder to be shared.... This is all about deliberately trying to damage VMWare and get publicity. The same thing happens to Microsoft. So what about other users (besides you) who may have enabled file sharing? They shouldn't know about this vulnerability so they can UNenable as a work around if they choose to, just like you did because you happened to read this thread?
And since when do you believe MS vulnerabilites shouldn't be reported? You are one of the first to bash them when vulnerabilities are reported and about how "long" it takes them to patch.
--
10,634 DEADLY TERROR ATTACKS SINCE 9/11~~TEAM DISCOVERY
Can't feel you anymore, don't need you anymore, don't believe you anymore, I don't need you anymore
|
|
Bubba1
Less is More
Premium
join:2006-09-21
| said by La Luna :said by Mele20 :This is all about deliberately trying to damage VMWare and get publicity. The same thing happens to Microsoft. So what about other users (besides you) who may have enabled file sharing? They shouldn't know about this vulnerability so they can UNenable as a work around if they choose to, just like you did because you happened to read this thread?  .. do you ever just grow fatigued?
Personally, and especially after reading how long VMWare camped on this, possibly endangering EVERYONE .. they, rightfully, ought to take their place next to the equally eeeeeevil Kaspersky. You think?
--
"Fast is fine, but accuracy is everything" --Wyatt Earp |
|
Anon008
@tele.dk
| reply to Mele20
said by Mele20 :Core Security wants to stick to VMWare and so they behaved very irresponsibly and have now made people like me vulnerable... I'd say it's the opposite.
You are now aware that there is a vulnerability so you can take action and protect yourself. |
|
EGeezer
Spring is here
Premium
join:2002-08-04
Central Ohio
clubs:
·RoadRunner Cable
·AT&T CallVantage
edit:
February 27th, @02:44PM
| reply to Mele20
said by Mele20 :This is all about deliberately trying to damage VMWare and get publicity. The same thing happens to Microsoft. No, it's about notifying those who, like yourself, manage systems with enabled file sharing and are vulnerable and need to know about it to protect their data and that of the people and businesses they are serving.
VMWare had plenty of time to address the issue and hasn't. They could have issued their advisory earlier but didn't. See
»seclists.org/fulldisclosure/2008···452.html and read the timeline to see the dates, commitments, lack of communications and failures.
said by seclists - with my notes and bolding :
*Report Timeline*
. *2007-10-16*: Initial contact email sent to the VMware Security Team notifying discovery of a Priority 1 vulnerability in accordance to the vendor's security policy [9]. A draft security advisory describing the problem is available. Public disclosure of the vulnerability is scheduled on November 5th, 2007. (MY NOTE - Core cooperated by moving back this date on the expectation that the vendor would keep their word.)
. *2007-10-17*: Vendor acknowledges notification, provides public key and requests a draft of the security advisory .
. *2007-10-17*: Core sends the draft advisory.
. *2007-10-19*: Vendor indicates it will be able to address the issue in a release planned for December.
. *2007-10-29*: Core requests an status update since there has been nocommunication since October, 17th, 2007. Vendor indicates it will be able to address the issue in a release planned for December, this information
was already provided to Core on October 19th 2007 on a personal email exchange. The December release is likely to be move to the first week of January 2008. (MY NOTE - December release missed).
. *2007-10-29*: Core confirms that the December target was communicated on October 19th, 2007.
. *2007-11-26*: Core requests an status update, asking if the vendor is still on track to release fixes in December 2007 and on which specific date.
. *2007-11-26*: Vendor communicates that normally the release would be on December 27th, 2007 but since that date is in the middle of most people's holiday the release will be postponed to January. A specific date has not been set. (MY NOTE - Now it's beacuse of the holidays - hackers don't take holidays.)
. *2008-01-07*: Core requests and status update since there has been no communication since November 26th, 2007. Core asks if the vendor is ontrack to release fixes on the second week of January 2008. VMware had
released of a new version of its VI product line in December but had not indicate if this release included fixed versions of the vulnerable VMwareproducts. Publication of CORE-2007-0930 has been re-scheduled for January
14th, 2007.(MY NOTE - CORE again moves back the date despite the fact that a new Version was released in December with no indication that the problem was addressed - and no communication was received from the vendor)
. *2008-01-08*: Vendor communicates that none of the updates released in December 2007 addressed the vulnerability reported by Core and provided an official list of supported product that are vulnerable and their respective versions. Vendor cannot commit to a specific date for the release of fixes but can commit to release a fix within the first quarter of the year(Q1/2008) (MY NOTE - more delays, promises). The upcoming release of minor version updates of vulnerable product is scheduled for February 14th.
. *2008-01-08*: Email reply from Core indicating that publication of CORE-2007-0930 has been re-scheduled to February 14th., 2008. Nonetheless, the lack of vendor commitment to a specific date for the release of fixes
does not make the ballpark commitment of Q1/2008 any more credible than the previous estimations.
. *2008-02-06*: Core requests a status update since there has been no communication since January 8th, 2008. Core requests confirmation that VMware Server is not affected and asks if the vendor is on track to release fixes on February 14th. 2008 or on any other specific date within the first quarter of the year. In case that February 14th. 2008 was deemed not longer viable, Core will need notification by COB Monday January 11th, 2008.
. *2008-02-08*: Vendor response indicating that the release of new minor version updates to a subset of vulnerable supported products have been delayed and is now scheduled for February 24th., 2008. Minor version updates to another subset of the vulnerable products is planned for March 15th, 2008. VMware Server is confirmed not-vulnerable since it does not provide Shared Folders functionality (HGFS).
. *2008-02-08*: Core indicates that in view of the status update received from the vendor, publication of CORE-2007-0930 has been re-scheduled for Feb. 25th. 2008, this new date is still subject to change if and only if;
i) Vendor confirms by Feb 13th. that the upcoming product releases planned for Feb. 25th. will indeed fix the bug.
ii) Vendor commits by Feb. 13th. to a fix release date for the remaining set of affected products.
iii) Vendor communicates any change to the Feb. 25th. release date by COB Feb 20th. and the new release date does not exceed 6 working days from the currently scheduled date.(My note - another disclosure rollback to accommodate the vendor)
. *2008-02-22*: Final draft of CORE-2007-0930 sent to VMware's Product Security Group. Any additional information to be included in the advisory should be received by COB Friday February 22nd.
. *2008-02-25*: CORE-2007-0930 published.
I'll stand by my earlier post. The IW article is accurate. They clearly stated file sharing is not enabled by default on the newer products. If there are errors, I hope folks here will find them, quote the erroneous text and context and provide correcting text, which will be a good thing for all.
I have advised my customers to check file sharing settings and secure their VMWare clients accordingly per the article, Core Security and VMWare's own information.
There are many commercial systems with loads of identity, medical, financial and other personal information that are using VMWare servers and clients, some of which I'm personally involved with. Had it not been for this heads up, there would be many business and government systems whose data would be at risk. VMWare chose not to let us as customers and support people know they were at risk until the advisory was imminent.
So far, there's just one here complaining that the security issue has been made available to the IT community charged with securing systems which contain identity information(possibly yours in that population). If you feel the Core security article is in error, it would be productive for you to let them know and provide the supporting information. I'd guess that the hordes would descend with outrage upon any company whose data was compromised by this vulnerability, so knowing it's there is only a good thing.
Thanks, CORE, for responsible disclosure! |
|
Mele20
Premium
join:2001-06-05
Hilo, HI | reply to daveinpoway
None of you have convinced me of one thing other than that you twist and distort and lie a lot. |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
Erie, PA
·Verizon Online DSL
edit:
February 27th, @08:25PM
|  So the facts we post taken directly from that report makes us liars? 
Face it Marilyn your vaunted VMWare failed to keep communications open with Core Security, failed to fix the issue in a timely manner, and failed to notify their customers about the issue and Core Security brought it all to light along with very good documentation.
Nothing is twisted or distorted except what your mind churns out on a daily basis.
Good luck with that.
Edit* Added more info and corrected communications.
--
"There is nothing more deceptive than an obvious fact". - Sherlock Holmes |
|
