Face-off: Is VMware Tools worth the virtual security risks?

VMware Tools are considered a best practice but they create virtual security risks. In this face-off, two experts debate whether the benefits outweigh the security concerns.

VMware Tools are an optional set of drivers and utilities that improve the performance and manageability of virtual...

machines. But there’s a debate about whether the benefits of installing VMware Tools outweigh the potential virtual security risks that it introduces.

On one hand, VMware Tools replaces many of the guest operating system drivers that were designed for physical hardware. These optimized drivers can drastically improve performance and functionality (e.g., providing copy-and-paste capabilities between the host and VM). But the installation of VMware Tools also adds potential virtual security vulnerabilities to an otherwise secure infrastructure.

In this face-off, two experts debate the merits of running VMware Tools.

Creating unnecessary virtual security risks with VMware Tools
Realizing a virtual infrastructure’s potential with VMware Tools

Creating unnecessary virtual security risks with VMware Tools
By Edward Haletky, Contributor

VMware Tools, specifically its paravirtualized drivers, are often the attacked components of virtual machines. As such, I recommended using native guest OS drivers when possible and reserve installing paravirtualized drivers for must-have VM functionality.

Paravirtualized drivers are aware of the underlying virtualization layer, so they can take shortcuts through the driver layer, specifically to directly call the shared memory segment between the guest OS and the VM object. But they add another attack surface to your virtual infrastructure. In theory, attacking these drivers could lead to a denial of service (crashing the VM) or a hacker escaping the VM (gaining access to other VMs or the host) -- a big fear in virtualization today.

Many attacks of the Escape-the-VM nature have been successful against nearly every type-2 hypervisor, such as VMware Fusion, Player, Workstation and Server as well as Microsoft Virtual Server and Oracle VirtualBox. But no attack has successfully gained access to another VM within any bare-metal hypervisor, such as VMware vSphere, Citrix Systems XenServer or Microsoft Hyper-V.

However, there have been several VMware Tools paravirtualization drivers that have caused security problems in vSphere:

  • The vmxnet drivers provide access to higher network speeds within the VM. But the vmxnet family of drivers had a race conditioned that allowed network packets to have out-of-order timestamps, which appear to be out of sync with other packets. This shortcut caused TCP/IP-based services to fail. Anything that causes network servers to disconnect is a denial of service. Because a paravirtualized driver caused the issue, it was considered a virtual security risk. (It has since been fixed.)
  • Modern e1000 drivers from the OS vendor can achieve similar speeds, without the need for paravirtualized drivers
  • The VMCI drivers are used for VM-to-VM communication outside the hypervisor (in essence, the VMs use another network path). At the moment, no applications use this functionality, but enabling it adds another potential attack surface to existing VMs.
  • The VMware SVGA driver is VMware Tools’ most attacked driver, but it is only useful if the VM is a virtual desktop. If not, the standard SVGA driver from the guest OS will suffice and limit the VM’s attack surface. (Attacks against SVGA can minimally crash the VM.)

Paravirtualized drivers should deliver must-have functionality to a VM, and you should opt for guest OS drivers when possible to limit virtual security risks.

Realizing a virtual infrastructure’s potential with VMware Tools
By Eric Siebert, Contributor

The rewards gained from installing VMware Tools far outweigh the slight virtual security risks it introduces.

VMware Tools isn’t required and a VM can run OK without them, but you’d miss out on a lot of features and functionality by not installing them.  More importantly, forgoing VMware Tools prevents a VM from reaching its full performance potential.

The Windows operating system, for example, includes generic hardware drivers based on industry-standard physical hardware. In a Windows guest, VMware Tools replaces those generic drivers with ones that are optimized for virtualization and that deliver better performance.

In addition, installing VMware Tools supplies VMware’s high-performance virtual hardware, such as the pvSCSI adapter, the VMXNET3 network adapter and the VMCI adapter.

VMware Tools also provides other, important functionality:

  • VMware Tools’ memory balloon driver reduces the physical memory that a virtual machine uses and is a key component of vSphere memory management. Considering that memory is the most utilized resource in virtualization, the absence of the VMware Tools memory balloon driver will increase physical memory usage on a host.
  • The sync driver quiesces a VM to prevent data corruption during a backup. Quiescing pauses the VM’s file system and applications and waits for their processes to flush from the memory and transactions to complete before allowing backups to begin. Without the sync driver, you need to install agents inside the OS to perform backups at the virtualization layer, resulting in increased resource overhead and management complexity.
  • Another feature enabled by VMware Tools is VMware High Availability (HA). VMware HA can restart OSes that becomes unresponsive, as with a Blue Screen of Death. And it can now automatically restart supported applications that are no longer responding.
  • VMware Tools can perform a clean shutdown of an OS when needed (e.g., when a High Availability event occurs). I’d prefer to have my OS and applications shut down cleanly rather than performing a hard shut down (akin to pulling a server’s power cord from the wall) and risk data corruption.

VMware Tools also helps in other, little ways. It can sync a VM’s clock to a host, which is important for logging and authentication. It allows better integration with remote console sessions. Without VMware Tools, for example, mouse control is erratic in a VM, and you constantly have to press CTRL+ALT to release the cursor from console windows. VMware Tools also adds a higher resolution display driver, which makes it easier to interact with a VM.

I understand the virtual security implications but I’ve never heard of anyone using VMware Tools to compromise the hypervisor, VMs or hosts. Even VMware doesn’t recommend against running VMware Tools for security reasons. Instead, the company recommends disabling some functionality -- such as the clipboard for copying and pasting -- in the vSphere 4.1 Hardening Guide.

Without VMware Tools, your environment becomes more difficult to manage and less efficient. I personally think the rewards that you gain from using VMware Tools far outweigh any slight risks you may take by not installing them.

Dig Deeper on Securing a VMware environment