VMware released an update to VMware Workstation 8.0.3 Build 703057 yesterday (May 3, 2012).  The update is a security update addresses two vulnerabilities that would allow out-of-bounds memory writes on floppy and SCSI devices under certain conditions.  The vulnerabilities may allow specially crafted attacks to crash the VMX process (i.e. crash the running VM) or theoretically execute commands on the host.  The VMware Workstation 8.0.3 release notes can be found here: https://www.vmware.com/support/ws80/doc/releasenotes_workstation_803.html.

VMware’s security advisories for these vulnerabilities can be found here: http://www.vmware.com/security/advisories/VMSA-2012-0009.html.

Users of VMware Workstation should be prompted to update to the latest version when launching the application:

If you are not automatically prompted to update VMware Workstation, manually check for updates from the Help menu:

You can also download the full install package of VMware Workstation from http://www.vmware.com/products/workstation.

While not specifically mentioned in the release notes, I wonder if this update was prompted by the VMware source code leak described in the VMware Security Blog: http://blogs.vmware.com/security/2012/05/vmware-security-note.html.  If so, kudos to VMware’s security and engineering teams for quickly identifying, fixing, and releasing updates to correct flaws that may be exposed through this code leak.

Here are some bookmarks for resources that I have recently referenced:

• vCenter 4 and ESX 4 Now Use 10 Year Default SSL Certificate | VM /ETC – Rich Brambly has some guidance on installing a new SSL certificate on vCenter, with very useful links in his post to official VMware documentation and KB’s on the subject.
• VMware vSphere Client on Microsoft Windows 7! | Virtual Lifestyle – Heiko Verlande has found a way to run the VMware vSphere Client on Windows 7.
• Virtu-Al » PowerCLI: Daily Report V2 – Version two of a handy PowerShell based VMware Environment Daily Report from VMware vExpert and PowerShell guru Alan Renouf
  What’s new/Bug Fixes
  * Active VMs count
  * Inactive VMs count
  * DRS Migrations count and list
  * Correct NTP Server check for each host
  * VMs stored on local datastores
  * NTP Service check for each host
  * vmkernel warning messages for each host
  * VM CPU ready over x%
• VMware Self-Service- VMware Update Manager Plug-In fails to install -Troubleshooting steps for vCenter Plug-in install problems.
• Using VMware VDI and vmSight for Stronger and Sustainable HIPAA and PCI Compliance – Virtualization brings new options for protecting sensitive data by moving it from the desktop into the datacenter.
• Counter of the Week : Analyzing Storage Performance – The purpose of this article is to provide prescriptive guidance on how to troubleshoot logical and physical disk response times in regards to Windows performance analysis. Start with the following performance counters to analyze disk response…
• NetApp, Compellent, HP, Dell top the field in 12-product test – Network World – A terabyte isn’t what it used to be. Disks are slower than you think. And a Gigabit Ethernet is plenty of bandwidth for many storage applications.

Between budget cuts and New Year’s resolutions, improving your security posture is probably near the top of your to-do list.  Much has been made of security concerns in a virtual environment, but it is always good to re-visit your configurations and make sure they are still on par with recommended best practices.  I began re-reviewing VI security best practices after reading at post by Bob Plankers at The Lone SysAdmin (Bob has been on my reading list for years – he has a great style and always brings fresh insights) on why you would want a second super-user account on your ESX servers.

We certainly all have our own opinions and operations procedures when it comes to configuring and hardening our environments, but I decided to take a look at what the experts had to say on this particular subject and other basic build and hardening recommendations.  Here is what I found:

VMware Security Resources

VMware Security Utilities

VI3.5 Security Hardening Whitepaper

Defense Informaion Systems Agency (DISA) ESX Server Security Technical Implementation Guide

DISA ESX Server Checklist

As a side note, DISA publishes many STIG’s at http://iase.disa.mil/stigs/.  Your tax dollars paid for these, so you might as well check them out.

NSA VMware ESX  Server 3 Configuration Guide

There are also numerous tips and scripts for locking down your virtual infrastructure in the VMware Community Forums (Start here: http://communities.vmware.com/message/941372).

So back to the question of second super user accounts: It seems that best practices are to create a second user account with sufficient access to the console, granting that user SUDO privledges, and then disabling the default root account.