Accepted Solutions
Hi,
When a hacker gains access to your guest, then installs vmrun and there's no network connection between guest and host then the hacker can't use vmrun as to operate it from a guest he/she would have to use the -h (host) option which depends on a network connection.
You should also disable things like shared folders and consider disabling copy&paste via shared clipboard.
If there is a network connection between guest and host and he has login/password of the host then it is game over anyways.
--
Wil
Hello,
Short answer: No
Slightly longer answer.
Being able to control the guest OS from a host is expected. In fact the Workstation GUI is just that, it gives you an easy interface to manage Virtual Machines.
You can only copy files and run applications/scripts in the guest if you know the guest login and password.
If you have those credentials it is game over anyways, even without vmrun as you can just login.
For going the other way around, control host from guest OS, you -again- need to have login and password (this time from the host) and on top of that you need to know the host IP. The latter can be guessed in some setups. You also would need to install VIX in the guest in order to control anything, but I suppose that isn't a big problem.
If you do find a way that bypasses the required credentials and allows you to do something with infected files from guest to host then you've identified a security problem and in that case we hope that you report it to VMware so that they can address it.
At this moment however when using the latest VMware Workstation versions there are no such issues publicly known.
--
Wil
Hi,
When a hacker gains access to your guest, then installs vmrun and there's no network connection between guest and host then the hacker can't use vmrun as to operate it from a guest he/she would have to use the -h (host) option which depends on a network connection.
You should also disable things like shared folders and consider disabling copy&paste via shared clipboard.
If there is a network connection between guest and host and he has login/password of the host then it is game over anyways.
--
Wil
Hi,
No a VM does not have access to its own configuration. It would at least need direct network access to the host and as long as you did not add the host to VMNet4 then there's no access.
Note also that there's no vmrun command to change network settings of a guest, so it is not as easy to do.
A way to change network settings on a guest would be if it is a shared VM AND having network access to the host.
But if having full access to the host the attacker could also change the vmx file via notepad (or via workstation itself)
Both those ways would depend on host credentials and direct network access.
--
Wil
Hi,
Sure, note that I do not have a Workstation GUI closeby so the raw .vmx settings will have to do.
But I do expect this to be configurable in VMware Workstation somewhere under your VM settings, probably under "isolation"
Disable copy&paste:
isolation.tools.copy.disable = "TRUE"
isolation.tools.paste.disable = "TRUE"
Disable drag&drop:
isolation.tools.dnd.disable = "TRUE"
Not having the settings in your .vmx file or setting to "FALSE" will enable Copy/Paste/Drag&Drop
--
Wil