T 3.101 Improper use of guest tools in virtual IT systems

For many virtualisation products, so-called guest tools can be installed in the virtual IT systems. On the one hand, these guest tools can be used to provide the device drivers required for operating system virtualisation for virtual or emulated devices such as network cards, hard disks or graphics cards. On the other, they provide a number of functions for virtual machines. Such functions are for instance:

• shutting down the operating system of a virtual IT system without interaction in the virtual IT system via the virtualisation server directly,
• exchanging the content of the clipboard between the console emulation of the virtual machine and the workplace system of the user,
• seamless integration of the mouse cursor of the user's workplace system in a virtual machine with its console emulation,
• simplified loading and unloading of data media in the virtual IT systems. This can be physical floppy disk, CD or DVD drives, but also image files of such data media (ISO images).

These functions increase the user-friendliness of the virtual IT systems and, in addition, allow an automated management of the operating states (switching on/off, booting and shutting down) of virtual IT systems by the virtualisation server.

Shutting down the system without logging in/interaction

If the function for shutting down an IT system is used by an administrator of the virtualisation server, more restrictive configuration settings, if any, within the virtual IT system itself are circumvented or policies violated, which prohibit restarts or shutdowns without proper authorisation.

Access to CD/DVD drives or floppy disk drives

With the corresponding configuration, the guest tools also allow direct access to the drives of the virtualisation server. For example, access to the physical CD drive connected in the virtualisation server, might be thus possible from a virtual IT-System. A CD-ROM with confidential data which was inserted in the drive of the virtualisation server to transfer the data contained on the CD-ROM to a certain virtual IT system can thus also be accessed from other virtual instances. The confidentiality of the data is threatened, as data was possibly read by unauthorised persons.

For some virtualisation products, it is also possible to open the CD or DVD drive compartment of the virtualisation server from a virtual IT system using the guest tools, when they are configured accordingly. The drive could be damaged, if, for example, it hits the door of the server cabinet or is stopped by a decorative screen at the server housing.

Examples:

• In a medium-sized company, several virtualisation servers are used. On these severs, several virtual IT systems are operated. Some of them belong to an ERP system on which all commercial applications of the company are operated. This ERP system is not managed by the same administrators as the virtualisation servers. As high protection requirements were determined for the servers belonging to the ERP system, these systems may only be shut down when a maintenance period has been agreed upon with the users of the ERP system. In addition, the servers may only be shut down by specifically authorised administrators, and this must also be logged and documented by the respective administrator. To implement this policy technically, the authorisation to stop the individual ERP systems was only granted to the ERP administrators in the operating system of the virtual IT systems. Moreover, the operating system was configured in such a manner that it forces the administrator to give reasons before shutting down the system.
  
  In one of the virtualisation servers, a fan fails. This is not directly critical for the functioning of the server, but the defective fan should still be replaced immediately. For this purpose, the administrator of the virtualisation server arranges an appointment for the repair with a service technician of the server manufacturer. On the following day, the technician of the manufacturer shows up in the morning. He has the required spare part with him and would like to start immediately with the repair, because he also has other appointments. In order to replace the fan, the virtualisation server must be switched off. The administrator of the virtualisation server now shuts down the virtualisation server using the administration console. In the process, all virtual IT systems are also automatically shut down using the guest tools. The guest tools shut down the systems without the required logging and do not check either whether the administrator has been authorised at all to do this. After the repair has been carried out, the administrator switches on the virtualisation server and boots all virtual IT systems again.
  
  During the repair, important parts of the ERP system are not available, resulting in a high loss of working time as several employees cannot carry out their tasks. The administrators of the ERP system are reprimanded by the management of the company, because they have disregarded the policies and have not ensured that the ERP systems can only be shut down by authorised administrators. Furthermore, logging regulations were ignored.
• The administrator of a virtual IT system is bored and explores the functions of the guest tools installed on the virtual IT system. In doing so, he finds the function for connecting and separating physical CD or DVD drives of the virtualisation server. Since he does not know that opening the drive compartment in the virtual IT system actually results in opening the physical drive compartment of the virtualisation server, he fiddles around with the corresponding function.
  
  A technician who is in the server room at this time and carrying out work on an IT system next to the virtualisation server does not notice the open drive and the sleeve of his shirt gets caught on the drive tray. Thus, the drive is damaged and must be replaced.