4

I have realized there are issues such as virtual machines being exposed to other VMs within the same system when they're connected to the VMCI socket interface. How do we prevent this ?

Rory Alsop
  • 61,507
  • 12
  • 118
  • 322
Andreas Pluto
  • 41
  • 2
  • Are you referring to any specific known exploits (such as arbitrary code execution exploit on Windows hosts) and asking how to mitigate these, or asking about VMCI vulnerability in general? Non specific questions are not encouraged, as per faq. Please explain in more detail what specific details of VMCI connected hosts are you interested in hardening, otherwise your question will be considered as too broad and inspiring discussion. – TildalWave Mar 12 '13 at 04:04
  • First of all, TidalWave I would like to know why My question regarding controls in a VMware enviorment was closed as its too broad or narrow. I am being very specific here. I wasn't asking what are the Information technology General controls. I was asking possible ITGC/ Technical controls in a VMware environment. To give some examples, – Andreas Pluto Mar 12 '13 at 15:28
  • Esxi default username and passwords needs to be changed.The risk here is that it cannot be kept as 'root' as default accounts are widely known, documented, and they could easily be targeted.
    Esxi shell should be protected. SSH access to busybox shell should be protected.
    VMware ESX is configured with at least two networks: one for VMs and one for system management.     – Andreas Pluto Mar 12 '13 at 15:29
  • I didn't close it, but the answer why it was closed is there, in the description of the reason for being closed. Please note that if someone is trying to point you in the right direction and give suggestions how you could improve your question, they are most likely trying to answer it but lack details you should provide. This website is community moderated, and as such you're part of this community and just as responsible for its quality. Being on-topic and descriptive are one of these qualitative factors, more is in the FAQ. Thanks! – TildalWave Mar 12 '13 at 17:38
  • 1
    Re "Esxi default username and passwords needs to be changed", if you're researching to find an answer to your question on your own, then it is completely acceptable (encouraged even) to post a new answer with your findings. ;) – TildalWave Mar 12 '13 at 17:50
  • From user Ahmed Aadeb's answer: http://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vmci.pg.doc%2FvsockSecurity.7.3.html – Adi Aug 05 '13 at 17:41

1 Answers1

2

ESX/ESXi 4.0 to ESXi 5.0 provide .vmx options for VMCI isolation. As of ESXi 5.1, these options have no effect.

[vmci0.unrestricted = FALSE|TRUE]

When its vmci.unrestricted option was set TRUE, a virtual machine could communicate with all host endpoints and other virtual machines that had vmci0.unrestricted set TRUE.

[vmci0.domain = ]

(ESX/ESXi only) All virtual machines and host applications were members of the default domain ("") null string, by default. If the vmci0.domain option specified a non-default domain, then the virtual machine could communicate only with the hypervisor and other virtual machines in the same domain. This was to organize virtual machines into groups that could communicate with each other.

As of ESXi 5.1, or earlier when configured for restricted communication, the VMCI device has a security profile similar to any other device such as keyboard, video monitor, mouse, or motherboard. Guest communications depend on the VMCI applications running on the host. VMCI in itself does not expose any guest information.

Ahmad Aabed
  • 131
  • 3
  • Ahmad - please feel free to update your answer with content, as per Xander's comment. Otherwise this answer will get downvoted/deleted. – Rory Alsop Aug 05 '13 at 15:19