-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 *Summary* VMware VIX API 1.1 supports an option that allows users with privileges on the host machine to execute programs on a guest operating system under the identity of a user currently logged into the guest. For example, if user A powers on a virtual machine (VM) and logs into the guest operating system, then a user B who has privilege on the host machine to connect to that VM can also write scripts that will anonymously run programs in the VM guest operating system as user A. Note that the only users who can access the VM this way are either the same users who have powered on the VM or an administrator on the host. *Affected products:* This behavior is only present in Workstation 6.0, Workstation 6.0 with ACE Option Pack, and VMware Player 2.0. This issue does not affect any released version of VMware Server, VMware ESX Server, or VMware GSX Server. This issue also does not affect deployed ACE 2.0 virtual machines. *How to disable this behavior* You can disable this behavior by adding an entry to the host configuration file. This will override any VM-specific configuration and globally disable the behavior for all virtual machines running on the host. The host configuration is owned by the System/root account, so it is protected against non-root users who have virtual machines on the system. This behavior can be disabled at the host level by adding the following line to the host configuration file: guest.commands.anonGuestCommandsRunAsConsoleUser = "FALSE" On Linux, the default pathname for this file is: /usr/lib/vmware/settings (Note that "settings" is the file name, not another directory name.) On Windows (except Windows Vista), the default pathname for this file is: C:\Documents and Settings\All Users\Application Data\VMware\VMware Workstation\settings.ini On Windows Vista, the default pathname for this file is: C:\ProgramData\VMware\VMware Workstation\settings.ini (Note that on Windows Vista, the "ProgramData" directory may be hidden by default.) If you installed the product in a custom location, then the path name for the configuration file may be different. Normally, the file will not exist. If the file does not exist, then first create a new blank text file named "settings" on Linux and "settings.ini" on Windows and then add the new settings line. Alternatively, you can also add the following line to the VMX configuration file to disable the behavior on a per-VM basis: guest.commands.anonGuestCommandsRunAsConsoleUser=FALSE The only feature of VMware Workstation that relies on this behavior is the Integrated Virtual Debugger, i.e. the optional plugins for Eclipse IDE and Microsoft Visual Studio. Disabling this login mode as documented above will disable this feature. In addition, VIX API client programs and scripts which depend on this login mode while calling VixVM_LoginInGuest will need to be modified to use a username and password to login to the guest. *The rationale for this design decision* We added this functionality to VMware Workstation in order to provide a seamless user experience using Integrated Virtual Debugger – a user will not be prompted to log-in each time a program is launched to run/debug inside a VM. We determined that, although this automates interaction with the guest operating system, this is not a /bona fide/ escalation of privileges in the guest operation system because any user who can access the VM this way can already open the user interface and manually interact with the guest under the identity of the currently logged-in user. In other words, if you are able to connect to a running VM, you need to be either the user who powered on the VM, or you are an administrator of the host. So, this behavior only applies to users who already have access to the VM. However, we take this feedback very seriously, and we are reevaluating this design decision for the next dot-release of Workstation. For further questions regarding this issue or other security related issues for VMware, please contact us at security@vmware.com. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFG1h1pS2KysvBH1xkRCPUmAJ0TIfQlGDl6t7Rad+HeAyldW5KtHgCeLwlj Sij6woX7EFYylIN9q8Q73OA= =wnfC -----END PGP SIGNATURE-----