ESCALATING INSIDER THREATS USING VMWARE'S API

Size: px

Start display at page:

Download "ESCALATING INSIDER THREATS USING VMWARE'S API"

Dulcie Sims
5 years ago
Views:

1 ESCALATING INSIDER THREATS USING VMWARE'S API Ofri Ziv, GuardiCore Escalating Insider Threats Using VMware s API Page 1

cyber security research experience Prior work: Bondnet,

2 Who am I? VP Research at GuardiCore Head of GuardiCore Labs Security research Development of data analysis algorithms Msc in Computer Science Over 10 years of cyber security research experience Prior work: Bondnet, Infection Monkey Cloud & Data Center security company Escalating Insider Threats Using VMware s API Page 2

3 Agenda Overview of host-guest isolation model Use case (SOD) Attack Flow Demo Who is vulnerable? Mitigation Escalating Insider Threats Using VMware s API Page 3

4 Guest Machine From vsphere User to Guest Machine RCE Data Center Escalating Insider Threats Using VMware s API Page 4

5 Host-Guest Isolation Any virtualized data center needs to provide isolation between host and guest machines Separation of Duties Required by regulations Escalating Insider Threats Using VMware s API Page 5

6 Host-Guest Isolation Guest virtual machines should be isolated from the host and from other guests running on the same host. Interaction between the host and guests [ ] should occur only through channels with well-understood and documented security properties - VMware Escalating Insider Threats Using VMware s API Page 6

7 Isolation How To To use the VIX API for guest operation, applications must authenticate with two distinct security domains: 1. The client must first authenticate with the vsphere host. 2. The client must then supply a valid credential for the guest operating system on any virtual machine where it wants to perform guest operations - VMware Escalating Insider Threats Using VMware s API Page 7

8 A built-in functionality in vsphere breaks the host-guest security model Escalating Insider Threats Using VMware s API Page 8

9 DATA PLANE Host Guest Dr. Bob Patients Data Host Guest Alice CONTROL PLANE Escalating Insider Threats Using VMware s API Page 9

10 DATA PLANE Host Guest Dr. Bob Patients Data Host Guest Alice CONTROL PLANE Escalating Insider Threats Using VMware s API Page 10

11 DATA PLANE Host Guest Dr. Bob Patients Data Host Guest Alice CONTROL PLANE Escalating Insider Threats Using VMware s API Page 11

12 DATA PLANE Host Guest Dr. Bob Patients Data Host Guest Alice CONTROL PLANE Escalating Insider Threats Using VMware s API Page 12

13 DATA PLANE Host Guest Dr. Bob Patients Data Host Guest Alice CONTROL PLANE Escalating Insider Threats Using VMware s API Page 13

14 Dr. Bob Xray expert Alice Infrastructure engineer Escalating Insider Threats Using VMware s API Page 14

15 DATA PLANE Host Guest Dr. Bob Patients Data Host Guest Alice CONTROL PLANE Escalating Insider Threats Using VMware s API Page 15

16 DATA PLANE Guest Host Guest Dr. Bob Patients Data Host Guest Alice CONTROL PLANE Escalating Insider Threats Using VMware s API Page 16

17 data plane CRED CRED Dr. Bob User: Password:? Patients Data CRED CRED Alice host control plane Escalating Insider Threats Using VMware s API Page 17

18 An undocumented feature Undocumented authentication method Bypass guest authentication Leads to RCE on the guest machine Escalating Insider Threats Using VMware s API Page 18

Broken Host-Guest Isolation To user the VIX API for guest operation, applications must authenticate with two distinct security domains: 1. The client must first authenticate with the vsphere host. 2.

19 Broken Host-Guest Isolation To user the VIX API for guest operation, applications must authenticate with two distinct security domains: 1. The client must first authenticate with the vsphere host. 2. The client must then supply a valid credential for the guest operation system on any virtual machine where it wants to perform guest operations.?? - VMware Escalating Insider Threats Using VMware s API Page 19

20 All your are belong to us Control the guest Arbitrary code execution File operations Registry operations Attack types Lateral Movement Access to isolated networks Data leakage / manipulation Ransomware Escalating Insider Threats Using VMware s API Page 20

21 Attack Flow Connect (host cred) Vix_OpenVm ( Patients Data ) Login InGuest (User=????, Password=????) Tools Patients Data User: Password:? Guest operating system management by VIX API CRED CRED authd VMX host Escalating Insider Threats Using VMware s API Page 21

22 Undocumented Authentication Method Escalating Insider Threats Using VMware s API Page 22

23 Attack Flow Connect (host cred) Vix_OpenVm ( Patients Data ) LoginInGuest(Shared Secret User, Shared Secret, options=4) Tools Patients Data VM conf file Shared Secret CRED CRED VMX Autd conf file SharedPolicyRefCount Escalating Insider Threats Using VMware s API Page 23

$How to Set a Shared Secret Shared Secret Login vsphere API VirtualMachine\Config\AdvancedConfig privilege guest.$

24 How to Set a Shared Secret Shared Secret Login vsphere API VirtualMachine\Config\AdvancedConfig privilege guest.commands.sharedsecretlogin.<username> = SHA256(SS).encode( base64 ) Escalating Insider Threats Using VMware s API Page 24

25 How to Set a Shared Secret Shared Secret Login vsphere API VirtualMachine\Config\AdvancedConfig privilege guest.commands.sharedsecretlogin.<username> = SHA256(SS).encode( base64 ) SharedPolicyRefCount Controls whether guest operations using shared secret are allowed vsphere API Host\Configuration\Advanced Settings privilege Escalating Insider Threats Using VMware s API Page 25

26 Attack Flow Connect (host cred) Vix_OpenVm ( Patients Data ) LoginInGuest(Shared Secret User, Shared Secret, options=4) RunProgramInGuest( /bin/sh ) Tools Patients Data CRED CRED VMX Autd Escalating Insider Threats Using VMware s API Page 26

27 Attack Flow Connect (host cred) Vix_OpenVm ( Patients Data ) LoginInGuest(Shared Secret User, Shared Secret, options=4) RunProgramInGuest( /bin/sh ) Tools Patients Data CRED CRED VMX Autd Escalating Insider Threats Using VMware s API Page 27

28 Attack Flow Connect (host cred) Vix_OpenVm ( Patients Data ) LoginInGuest(Shared Secret User, Shared Secret, options=4) RunProgramInGuest( /bin/sh ) Tools Patients Data CRED CRED VMX Autd Escalating Insider Threats Using VMware s API Page 28

29 Escalating Insider Threats Using VMware s API Page 29 Live DEMO!

30 When will the attack not work? requestflags Passed properly by VMX Shared secret auth is opted-out if code block exists Escalating Insider Threats Using VMware s API Page 30

31 Who is vulnerable? Guest machines running on ESXi 5.5 OR Guest machines running VMware Tools version < Latest upstream repository offers a vulnerable OVT Ubuntu Fedora 25 RHEL 7.2 Oracle Linux 7 (latest) Escalating Insider Threats Using VMware s API Page 31

Our Risk Assessment Tool https://github.

32 Our Risk Assessment Tool Escalating Insider Threats Using VMware s API Page 32

33 Mitigation For ESXi 6.0 and 6.5 Option #1 Upgrade Vmtools Option #2 Opt-out by modifying vmtools configuration (for 9.9.0) Escalating Insider Threats Using VMware s API Page 33

34 Mitigation For ESXi 5.5 Fixed VMtools version Forked from latest open-vm-tools repository Source code - Binary Escalating Insider Threats Using VMware s API Page 34

35 Go Check your network Attack tool Risk assessment tool Fixed vmtools version Source: (twitter) Q&A Escalating Insider Threats Using VMware s API Page 35

Agenda 1 Types of VMware Tools 2 Status Display in vsphere 3 Lifecycle and Supported Guests 4 Standardization Approach 5 Keeping Tools Updated #SER195

SER1957BU Mastering the VMware Tools Lifecycle in Your vsphere Data Center Eric Gray #VMworld #SER1957BU Agenda 1 Types of VMware Tools 2 Status Display in vsphere 3 Lifecycle and Supported Guests 4 Standardization