T 2.150 Improper integration of guest tools in virtual IT systems

With the help of guest tools, e.g. the Citrix XenTools or the VMware Tools, the administrator is able to control and administrate the virtual IT systems in the virtualisation infrastructure. Furthermore, these programs integrate drivers and services for the communication of the virtualised operating systems with the host.

The guest tools are used to implement different functions, e.g.:

• synchronisation of the system time of a virtual machine with the host,
• request of main memory in the virtual IT system and sharing of this memory for other guests on the virtualisation server (ballooning),
• shutdown of the operating system of the virtual IT system without login,
• optimisation of virtual hard disks (thin provisioning).

The guest tools have comprehensive authorisations regarding system files and services in the context of the virtual machine in order to allow for the functions described. These functions may contradict an established authorisation concept, as well as other requirements regarding the virtual environment if the existing concepts and requirements are not taken into consideration and implemented while planning the installation of the guest tools. This way, it may be possible to use functions incompatible with the organisation's policies.

Shutting down a virtual IT system without the required authorisation

For example, if it was specified in an organisation that virtual and physical servers must only be shut down upon login of the responsible administrator and stating the reasons for the shutdown as a matter of principle, the guest tools may be used in order to bypass these specifications. By using the guest tools, the administrator of a virtualisation server may shut down any other virtual IT system. For this, the administrator him/herself must not necessarily be an authorised administrator of the corresponding virtual IT system. This way, the administrators of the virtualisation servers may undermine the policies and regulations regarding the virtual IT systems for the use of systems and thereby endanger the availability, integrity, and confidentiality of the virtual IT systems.

Moreover, there are virtualisation products (such as VMware Workstation, VMware Server) with comprehensive functions in order to be integrated into a development environment. Here, additional functions exceeding the options mentioned above are available for the guest tools in virtual IT systems. This way, scripts can be stored to a virtual IT system and controlled by guest tools from the outside for testing purposes. For this, no interaction with and no authentication at the virtual IT system itself is required. The actions are only initiated by the virtualisation software and/or the hypervisor and the guest tools. If virtual IT systems from development environments are now transferred to the virtual infrastructure for productive operations, security gaps may be created in the productive environment, since the tools and interfaces specifically designed for the development environment continue to be effective in the productive environment.

Example:

A government agency plans to update a complex client/server application. An external consulting company is commissioned with the update. The update steps are developed and tested in a virtual environment representing a complete image of the productive environment. The test systems are copies of the productive systems provided in an isolated network.

One of the external consultants is responsible for updating the client application. The installation of the application on the client is rather complex. Moreover, certain defined configuration steps must be performed on the server during each new installation so that the new client version is operable. Once the data on the server has been migrated, clients with an old software version may no longer access the server.

In order not to have to perform the same configuration steps over and over again, the external consultant created scripts. On the one hand, these are designed to newly configure the client during every restart and, on the other hand, to install and execute scripts on the servers using the guest tools.

The responsible head of division wants to obtain information about the project's progress and asks one of her employees to show her the client. Since no installation packages for the client software are available in the productive environment, the employee decides to copy the virtual workplace system of the external consultant. He transfers the system to the productive network and starts it in order to show his supervisor.

In the background, the scripts of the external consultant integrated in the client are enabled and the productive server of the government agency is updated to the new version using these scripts. The employees can no longer access the server, resulting in a loss of production of several hours, since data recovery must be performed.