A bunch of Red Pills: VMware Escapes

BackgroundVMware is one of the leaders in virtualization nowadays. They offer VMware ESXi for cloud, and VMware Workstation and Fusion for Desktops (Windows, Linux, macOS).The technology is very well known to the public: it allows users to run unmodified guest “virtual machines”.Often those virtual machines are not trusted, and they must be isolated.VMware goes to a great deal to offer this isolation, especially on the ESXi product where virtual machines of different actors can potentially run on the same hardware. So a strong isolation of is paramount importance.
Recently at Pwn2Own the “Virtualization” category was introduced, and VMware was among the targets since Pwn2Own 2016.
In 2017 we successfully demonstrated a VMware escape from a guest to the host from a unprivileged account, resulting in executing code on the host, breaking out of the virtual machine.
If you escape your virtual machine environment then all isolation assurances are lost, since you are running code on the host, which controls the guests.Keen Security Lab BlogRead More