VMs with multiple vNics could be a security risk

Often when I do health checks on vSphere environments I come across VMs that have multiple vNics. That can be a serious security risk if these vNics are connected to different security zones. A VM that is connected both to a DMZ and to a Administration network could allow a hacker easy access to more privileged networks. Sometimes this configuration is acceptable if the operating system is designed to handle it, if for instance we are dealing with a firewall.

I often find VMs that have a configuration where one of the network adapters is disconnected. Sometimes the second vNic was forgotten, and other times it is connected from vCenter when access to the secondary network is wanted for some kind of maintenance.

There is a settings on the virtual network adapter called “allowGuestControl”, and I was wondering if this setting could be a security issue. Could a hacker enable the disconnected network adapter from within the guest operating system, and thereby gain access to a privileged network?

It turns out that you can enable disconnected hardware using VMware tools, as explained documented here: https://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vmtools.install.doc%2FGUID-B8AEEAAC-5E0D-4A5E-974E-64FE81949AE0.html

Fortunately it is not enabled by default even though the “allowGuestControl” setting is enabled, as the documentation explains you have to add 2 settings to your vmx file.

isolation.device.connectable.disable = "FALSE"
isolation.device.edit.disable = "FALSE"

The downside is that if these settings are set, maybe by an unknown intruder, it is very hard to spot, so I recommend that you avoid having multiple vNics in your VMs, that cross different security zones, even when one of them is disconnected.

Credit to mhampto for pointing me to the right documentation when trying to get to the bottom of this.

Leave a Reply

Your email address will not be published. Required fields are marked *