Security Ripcord

There is an interesting conversation in the Security Catalyst Community with the title “vmware bridge vs. NAT“. It started as a discussion about developers utilizing VMware for development on their local machines. The initial issue was whether to allow the developers to configure their systems so that the guest communicated through the host via NAT or to require that all guests be assigned an IP address on the network.

The thread has already gone through a spiral of recommendations and additional questions. I will not hash those out here. But what I found interesting is that this all comes back to a question of policy. The current policy, at this company, “stats [sic] that no workstation should route traffic.” One respondent pointed out that although the implementation of VMware might be a concern, perhaps the problem is actually the way that the policy has been written.

The way that policy is written should never get in the way of the desired goal for which the policy has been instated. What I mean by that is that the requirement that ‘no workstation should route traffic’ is a means, and not a goal. What you probably want is that no workstation should be able to connect networks in a way that they were not designed to.

Very sage advice.

All of this brings the risk of unauthorized network extension to the forefront. What I mean by network extension is any hardware or software configuration that permits other systems to utilize the network. What I mean by unauthorized is anything that has not gone through the proper approval channels to be placed on the network. We see examples of this all the time in most work places. Somebody attaches a network hub or switch so that they can have a desktop and a laptop. Another person bridges their network interfaces through their handy-dandy Microsoft XP configuration capabilities. And the one that everybody knows best, wireless, wireless, wireless. All of these scenarios can increase the risk to any environment. Not only do you have unauthorized systems on the network, but there is no telling how they have been configured, what software and hardware has been installed, or what the administrative passwords may be. Just to name a few.

So, how do we combat the extension of our network. Well, at my last job at the university, they started with (yup, you guessed it) policy. And despite a few rough encounters that occurred while confiscating equipment, I believe that they handled it quite well. First they started with an over-arching policy to start the control effort. (I have changed a few of the position and department titles to be more universal and understandable.)

All University data, video, wireless, and voice telephone network connectivity, including but not limited to active data net-attached lines, hubs, switches, telephones, wireless and extenders, must be approved by the Chief Technology Officer. Such connectivity must be coordinated and supervised by IT Department. Any installation not approved may be disconnected.

Next they developed policies with more detail that provided the users with information about the policy’s scope, applicability, terms, implementation, and consequences. They made it very clear that ownership and operation of the campus’ network would be handled by a specific department and that all approvals for connectivity would have to be processed by that department. They provided very clear wording to ensure that all users understood that this included any instances where the network was extended.

All hardware and software configured to extend or re-transmit the university network and telecommunications infrastructure, including all wireless technologies, must be approved by the Chief Technology Officer prior to acquisition and deployment. All systems, devices, and software capable of extending this infrastructure must adhere to configuration standards developed and maintained by the IT Department.

Finally, they very specifically stated what would occur if the policy was violated and the devices extending the network were located.

Any device, system, or software found in violation of this procedure may be confiscated and temporarily stored by the Chief Technology Officer or a representative of the office.

Of course these are all just snippets from several policies that combine into a proactive security stance for the University. But I believe they state very clearly the organization’s stance on network extension and may help those of you who have not considered these types of policies.

Now, where does this all get us with the original issue of permitting NATed VMware instances. I believe that it leaves it open to interpretation. It allows the IT personnel, developers, and Chief Technology Officer to negotiate an agreement by looking at the risks and implementing controls. The policies are flexible enough to permitted this type of configuration with prior approval, while also empowering the IT department should a high risk situation arise.

Go forth and do good things,

Don C. Weber

SCC, policy, management, university, security, Security Ripcord, network extension

Although I have been a big fan of the Center for Internet Security for a long time, I just recently started helping with some of their benchmarks. Actually, the only one that I have contributed to so far is the CIS Level 1 Benchmark for Virtual Machines. Currently, there are two documents associated with this benchmark.

• The first is a General document (CIS_VM_Benchmark_1.0.pdf) that discusses the basic ins and outs of virtual machines. It covers the basic components as well as the common threats that occur across the various types of virtual machine environments.
• The most recently updated document covers the VMware ESX Server (CIS_VMware_ESX_Server_Benchmark_1.0.pdf). This document is geared towards administrators and includes configuration settings and scripts to assist with administration and security tasks.

As with all of the benchmarks provided by CISecurity these are works in progress. As Chris Hoff stated in his post

We’ve still got a ton of stuff that didn’t make the deadline cut-off for the first version of the document in follow-on iterations, but it’s a good start.

The management at CISecurity set a very tight work schedule for their benchmarks, especially new projects. The goal is to get the information available, get others interested in the standard, and get those people to contribute their findings and updates to help move the standard forward. This might initially seem aggressive, but when you take vendor updates into consideration you start to realize that if you try to hold off and make each one perfect you will never catch up.

So, if you are interested, contact CISecurity and volunteer your time to this or other projects. New projects are always in the works. The most recent one that I have been made aware of is a Check Point benchmark. Of course you can always jump into a current project and start to help. Actually, the Apache and Exchange 2007 projects are looking for immediate assistance. Even if you don’t think that you can provide very much input, teams can always use help with proof reading in addition to testing and updating scripts to work with the most recent software releases.

Go forth and do good things,
Cutaway

CISecurity, VMware, Apache, Exchange, Security Ripcord, Chris Hoff, Virtual Machine

Paul Asadoorian and Larry Pesce’s recent interview with Intelguardian‘s Ed Skoudis, Tom Liston, and Matt Carpenter is another must listen.  It gives a great background to how the Intelguardian team approached escaping from a virtual guest to obtain control of the host operating system.  If you don’t have time to listen Ed gave some similar but less detailed information in a comment to my original post on their release of this information.

Security professionals who are responsible for maintaining a security posture within their organization should, however, listen to the podcast whether they employ virtual environments or not.  There are two reasons for this.  First, if you don’t deploy virtual hosts then it is very likely that somebody will either ask you to investigate the technology or they will tell you to deploy it.  Second, because this interview gives a great insight to the methodologies used by people who are trying find attack vectors.

Let me elaborate on the second topic a little more.  The days of hacking for fun are over.  I think it is safe to say that nearly everybody has come to that realization (there may be a few holdouts in upper management but they will not last long).  This means that the stakes are higher for the good guys and the bad guys.  The interview with InGuardians shows us how a group of skilled and seasoned professionals attack a problem.  If you think that the bad guys cannot get this organized then you are kidding yourself.  Certainly there is always going to be the individual rouge element which, because of the focus a single person can apply, is dangerous.  But when you get people operating together they become more efficient and effective.  Sure, it took InGuardians two years to get a piece of software to function in a way that it was not intended and, now that their funding is over, they will not be focusing on this area.  This is how the good guys act.  They find and validate a threat vector, disclose it responsibly, and either keep working on the issue or move on to the next issue depending on funding.  Do you think the bad guys would stop here?  Do you think they would be satisfied with a proof of concept?  Do you think their funding would dry up at this point?  I do not.  There is a reason the term “weaponized exploit” has been coined.  If you still feel that the bad guys cannot get this organized just ask Germany how they feel about their recent encounter with the Chinese.  If you think one or two people were capable of this type of penetration then you are sadly mistaken.  This was an organized, focused, and methodical attack.  Does it matter whether it was a criminal organization or government funded group?  In the case of this point, no.  In the case of broader ramifications, yes.  But that is another topic for another day.

This brings us back around to the concerns about virtual machine escape.  I very much like how Ed and crew have kept their message on target.  The proof of concept exploit that they demoed at SANS Fire 2007 is important because of the fact that it is just that, a Proof Of Concept.  Is it possible that they have a “weaponized exploit” that goes above and beyond what they demoed?  Yes.  But the fact remains, and they repeat this at the end of the podcast, the protections are merely taking the possibility of this threat into consideration during your design, deployment, monitoring, and maintenance of your virtual environments.  They have established a new threat vector and if organizations, especially the vendors of virtual environments, do not take it into consideration then, sometime in the future, you or somebody like you will get p0wned. 

If you do get p0wned, don’t forget to call InGuardians to handle the incident response.  I hear they have a lot of experience in this area and, since they are professionals, I doubt they will say they told you so.

Go forth and do good things,
Cutaway

P.S. All of this reminds me.  Don’t forget Paul and Larry’s book on Linksys WRT54G Ultimate Hacking.

Technorati Tags: Security Ripcord, InGuardians, PDC, Ed Skoudis, Tom Liston, Matt Carpenter, Paul Asadoorian, Larry Pesce, VMEscape, VMWare, virtual guest, virtual machine

Powered by ScribeFire.

UPDATE: Don’t miss the detailed comment by Ed Skoudis.

I hope that you have been designing your implementation of virtual environments properly. It has been no secret that the crew of InGuardians has been feverishly working on a method to escape from a virtual guest and gain control of the host operating system. Well, according to a recent post by my good friend, Monty McDougal, who attended a presentation on the subject at SANFire 2007 they might have accomplished it. Although Monty describes some of the interesting applications they have developed such as VMchat, VMcat, VMdrag-n-hack, VMdrag-n-sploit, and VMftp, it is the demonstration of an “unnamed” application that has Monty saying,

Additionally, another “un-named” application was run on the client OS. This ran for quite a while and eventually produced a crash of the client OS. While not immediately visible this had the effect of killing the client OS, but in doing so they were able to execute arbitrary code on the host OS thus providing a full escape of the virtualization that did not rely on the path traversal flaw above. The details of how this worked was not disclosed and I would not speculate as to how it was done, but I would call this VMowned and say it is GAME OVER.

Could it be true? I guess we will find out soon enough. Either way, if you are currently deploying virtual environments or just considering it, I would be sure to evaluate your method of deployments and updating procedures. Also, as Monty suggested, watch the Center for Internet Security as they will soon add a guideline for virtual environments to their list. I have helped with this document a little bit and a version for ESX should be released in the next couple of months. If you would like to help with the development of the ESX document or the other virtual technologies then check out how you can get involved at the CIS website.

I also highly recommend that you add Monty’s blog to your RSS feeds. Monty is very smart and I often look to him for guidance and leadership. We can all expect some very interesting insight and, if I know Monty, some very good technical posts.

BTW, Monty, you do need to turn on comments.

Go forth and do good things,
Cutaway

InGuardians, ESX, CIS, VMware, SANSFire2007, VMchat, VMcat, VMftp, VMdrag-n-hack, VMdrag-n-sploit, Security Ripcord, Monty McDougal, VM Escape

Finally, we are going to be able to merge the most popular operating systems onto one machine (well, almost all of them). Although I haven’t looked into it Martin McKeay points out that Apple is now going to support dual booting on their Intel machines. Apple’s Boot Camp will allow a user to install Windows XP onto a live OS X system. You just need your own copy of Windows XP and about 10GB on your hard drive.

LET THE RACES BEGIN!! It is only a matter of time until we see this with the capability to also install Linux. Of course the guys over at CyberSpeak Podcast have recently pointed out (I think it was the March 25th edition) that the Holy Grail is to be able to switch seamlessly between the systems without needing to reboot to the other operating system. Now, I will definitely by stock in the company that comes out with that feature.

This definitely has great implications for the security professional. Although vitual systems are reliable and very handy, vulnerabilites are going to be serious issues in the future. In the same episode (if I remember correctly) the guys at CyberSpeak mentioned that there is malware out there that avoids deploying itself in virtual environments. How long before they leverage this for exploits and viruses on the child and parent systems. Besides, although the software version of VMWare’s Server Beta edition is free (as in registration), not everybody can afford a system that can handle multiple virtual operating system running at the same time in a smooth fashion.

Now I just need to get a Mac. Can somebody talk to my wife about it?
Cutaway

Edit: More detailed information can be found at Hack in the Box.