T 5.149 Misuse of guest tools in virtual IT systems

For many virtualisation products, so-called guest tools are installed in the virtual IT systems. On the one hand, these guest tools can be used to provide the device drivers required for operating system virtualisation for virtual or emulated devices such as network cards, graphics cards, or hard disks. On the other hand, these tools can be used to install programs for communicating with the hypervisor or the host operating system, for improving the performance of the virtual IT system, and for simplifying the provision of new virtual IT systems within the virtual IT systems. With the help of the guest tools, the virtual systems may additionally be monitored. The hypervisor or the host operating system uses guest tools to monitor the availability and performance of the guest.

The guest tools are frequently executed with high authorisations due to their quasi-system function. Frequently, they are executed in the context and therefore with the rights of the operating system core of the virtual machine.

Functions such as overbooking main memory or bulk memory space for virtual IT systems are coordinated between the hypervisor and the virtual IT system with the help of guest tools. These functions constitute a significant added value for the virtualisation technology in computer centre operations.

For some virtualisation products specialised for software development, there is additionally the option of conveniently designing complex test scenarios. This is also frequently implemented or supported with the help of the guest tools. For this, the guest tools are equipped with interfaces in order to transmit script files to virtual IT systems. These scripts can then also be executed in the virtual IT system using the guest tools. All script languages available in the virtual IT system may be used. The scripts may be started either during system start, when a user logs in, or also at any other time. The interfaces do not normally require any network connection between the guest systems, but are provided by the hypervisor or the host operating system.

These interfaces for scripts may be exploited by an attacker in order to establish an undesirable communication across several virtual systems that cannot be controlled with the help of classical means. In this, the attacker transmits the data using the interface for transporting script files.

Furthermore, when using the described virtualisation products designed for software development, an attacker may transmit proprietary script files from one virtual IT system to another virtual IT system with the help of the guest tools. These scripts can be executed with the rights needed to run the guest tools. Due to the wide-ranging authorisation of the guest tools, this is particularly critical, since any actions may be performed with the guest tools in the guest system concerned. For example, malware can be started, users can be created, group memberships can be modified, or the configuration of the operating system of the virtual IT system can be manipulated.

Denial-of-service by overbooking resources

Some virtualisation products allow overbooking of different resources such as hard disk space or RAM. For example, if two virtual IT systems compete for internal memory capacity, the host operating system or a hypervisor may order the guest tools to reserve virtual RAM in one of the virtual IT systems. The physical representation of this storage is not used by the virtual IT system as a consequence. The hypervisor may now provide this physical storage to the other virtual IT system as virtual RAM. The other way around, a virtual IT system may use the guest tools to request main memory capacity.

If an attacker controls a virtual IT system, he/she may request main memory space with the help of malware to the extent that the main memory space would become scarce for other virtual IT systems. This has adverse effects on the capability of the other virtual IT systems through to a denial-of-service attack. The same effect occurs if an attacker accesses a service of a virtual IT system from the outside in such a way that this service occupies large amounts of storage space.

If a function for overbooking hard disk space is used, there is usually also an option for releasing this storage. This is performed by consolidating unused disk space and by highlighting this disk space as free.

If an attacker triggers such a process in a virtual IT system, the storage systems are put under significant stress. This may also reduce the capability of other IT systems.

Examples: