back to article Video nasty lets VMware guests run code on hosts

VMware's given vAdmins a busy Friday by disclosing three nasties to patch. One's a video nasty dubbed CVE-2017-4924 and impacts VMware ESXi, and the desktop hypervisors Workstation & Fusion. This one's “an out-of-bounds write vulnerability in SVGA driver device*” , an old virtual graphics card toolkit. The bug “may allow a …

Anonymous Coward

Enough is enough!

Thinking seriously about adding “it’s 20\d\d and” to my RSS block list for El reg.

3
3
Anonymous Coward

Re: Enough is enough!

I don't know, it's a useful reminder when I forget what year it is.

3
0
Holmes

Re: Enough is enough!

It's 2017, and anonymous cowards are still threatening* to block El Reg articles from their late-90's technology news feed services.

*a bit too cowardly to click the "block" button for real though

2
2
Silver badge

Guests already do execute code on the host

The days of instruction sets being fully emulated are - unfortunately - gone. Most of the machine code of a program running in a VM actually runs directly on the host CPU when the VM CPU type is the same as the host, with only certain actions being trapped. I'm not up on the specific details, but its been like this for a long time now.

3
0

Re: Guests already do execute code on the host

Err, yes; that's the difference between emulation and virtualisation. It's how code running in a VM gets native performance, not 1-2 orders of magnitude lower. I wouldn't call that unfortunate, I'd call it progress.

I think the issue here is essentially like a kernel vulnerability that can be exploited for privilege escalation. That is, it's a way to run code in the context of the host, instead of being restricted to the guest, like a kernel vulnerability may allow code to run in the context of the operating system, instead of being restricted to the user process.

6
1
Silver badge

Re: Guests already do execute code on the host

"I wouldn't call that unfortunate, I'd call it progress."

Well hardly progress. If you want to run a contained program natively on a system you don't need a VM in the first place - virtual memory multi process OS's have been doing that for almost 50 years. Anyway, it would be nice if the option of pure virtualisation was available.

7
2

Re: Guests already do execute code on the host

VMs are different from multi-process OS's -- If someone wants to run a RHEL5 user process but the kernel is Windows or MacOS or a different version. I.e. you need a multi-kernel "OS", which what the VM gives. Executing most instructions natively should be fine as long as dangerous instructions are intercepted.

In this case native/emulated does not seem to be the problem. Instead for SVGA at least, the issue is that to implement graphics for a VM running on desktop Fusion/Workstation you need code running in the hypervisor pretending to be real video hardware, possibly also different video/network drivers in the VM guest as well (e.g. "vmnet" instead of hardware ethernet). It looks like this code that emulates the SVGA hardware had the security bug.

5
0
Silver badge

Re: Guests already do execute code on the host

"I.e. you need a multi-kernel "OS", which what the VM gives."

Yes, but how often does that happen? Usually VMs are used as an easy way to manage multiple large applications or user enviroments on Windows platforms since Windows itself isn't very good at it. DLL hell etc.

2
2

Re: Guests already do execute code on the host

RE: "Yes, but how often does that happen? Usually VMs are used as an easy way to manage multiple large applications or user enviroments on Windows platforms since Windows itself isn't very good at it."

There's also this thing called cloud compute where people want to run VMs securely, no ...?

0
4
Silver badge

Re: Guests already do execute code on the host

"There's also this thing called cloud compute where people want to run VMs securely, no ...?"

Cloud computing is nothing more than a marketing term, It has existed since before TCP/IP was invented and used to just be called a remote server. It doesn't require VMs at all to work though obviously they're supported, however most (all?) cloud providers give you the option of running natively on the metal.

3
0
Bronze badge

Re: Guests already do execute code on the host

I agree - Cloud is not all that new. Most of the attributes of Cloud are found in MVS and VM.

3
0
Silver badge
Alien

Containers

Why don't we see that many stories about container security, surely they're infinitely more pwnable than VMs?

Conspiracy?

0
2
K
Silver badge

Re: Containers

@Scrubber.. Pssstt Pssstt over here..

I'll share what I know... Nobody actually uses them!

6
0
WTF?

VMware is mainly for servers, right? Why would anyone _really_ need a server with a head?

1
2

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017