Addressing the “Guest Escape” security vulnerability

VMware recently responded to the pwn2own security exploit against VMware Workstation.  Patches have been released for ESXi, Fusion, and Workstation.  VMware says they are not aware of the exploit being used in the wild.

Here’s VMware’s response:

The security advice boils down to following general best practices:

  • Depth in defense
  • Apply vendor patches

From the article:

As offensive security evolves, so does defensive security. With vSphere 6.5, VMware began deploying sandboxing technology around virtual machines to prevent a single arbitrary code execution from spreading across a host – a technique we have adapted from studying how web browsers and cell phones have evolved to defend against offensive security research. We are proactively disabling or removing legacy features – the loss in compatibility is increasingly outweighed by the reduction in attack surface. And we are investing deeply in ease-of-upgrade, recognizing that prompt security patches do little good if they cannot be deployed to production in time.

And:

When VMware models threats, we consider three categories of actor. The “nation-state” actor has vast resources but generally employs them against limited targets; such an actor will find a way to breach security, whether by technical means or something simpler (money, ideology). The “professional” actor has more limited resources, and tends to look for the softest and most profitable target; defending against this actor amounts to staying on or ahead of the security research curve. And the “script kiddie” uses off-the-shelf resources and previously-known issues; defending here generally requires little more than staying up to date, and the biggest risk is installations which fail to deploy existing patches. The Pwn2Own competition shows that the difficulty of hypervisor attacks is moving from the “nation-state” category to the upper end of the “professional” category. This is a trend we have been expecting for a while, as security research tools become more powerful.

Be sure to prioritize security focus appropriately.  Using low entropy passwords or allowing direct access to the management network are probably greater risks to your infrastructure security than more difficult to exploit issues such as this (YMMV and IMHO).

Vester – open source, native PowerCLI Configuration Management for vSphere

Recently, I was able to play around a bit with Vester, an open source native PowerCLI configuration management tool for vSphere environments.

The basic idea: 1) Build a configuration file from existing objects (VM, Host, Cluster, etc.), 2) tweak if needed, 3) audit all the things for compliance, and 4) remediate (optional).

At various customer sites, I find myself providing a particular type of code over and over – hey, there’s a hot KB setting tweak we need to apply, so let’s audit current state, test the change, update all objects in your environment, and then leave the customer a script to continue this audit/remediate cycle.  I’d like a better way, following the principle of DRY IT.

While other configuration management tools exist (such as ansible’s VMware module), I find that many VMware admins have a reasonable comfort level with PowerCLI but less so with other CM tools.  Additionally, in my role as a consultant, I may not have scope to engage in a full-blown deployment of CM tools.

However, most of my customers already have a place to run PowerCLI scripts.  This makes Vester an easy, fast solution.

Vester would allow me to hand my customer a PowerCLI module and config script, with simple instructions to run “Invoke-Vester” and “Invoke-Vester -Remediate”. This seems an elegant way to address the above use case. Pretty neat!

Still, in my assessment, this is definitely not a replacement for enterprise “infrastructure as code” and configuration management tools, which provide the feature rich framework required for managing IT at scale.  Instead, it is an easy to understand tool that is accessible to the majority of vSphere admins.  As such, I think it fills a much-needed niche between manual administration and full-blown infrastructure automation.

P.S. I have updated my Resources page to include the beginners guide to “contributing to a github project” I found useful here.  Although I’ve worked with github and some git basics, I found the linked guide helpful to see how the pieces fit together.