Full Report
ok.. some of you in the office would have heard me whine when vmware fusion recently started taking my whole machine down occasionally. The joy of it being the whole machine is that ive lost my firefox profile, and managed to turf my osx preferences twice since this started happening.. Through meticulous checking i tracked down that the problem started “the day i blogged about how much i love vmware fusion”. i spent a lot of time wondering if i rm’d the post if it would fix the problem…
Analysis Summary
# Main Topic
Instability and system crashes experienced when using VMware Fusion, specifically traced back to running virtual machine images located on an encrypted (FileVault) drive. The issue caused data loss, including Firefox profiles and macOS preferences.
## Key Points
- The instability (machine crashes) began immediately after the user posted a positive review ("blogged about how much i love vmware fusion").
- The issue manifested as complete machine lockups, recurring multiple times daily, especially when pausing a VM.
- The issue was reproduced across VMware Fusion versions 43733 (where it started), 48339, and 50460.
- Rolling back to version 43733 temporarily resolved the issue, but the underlying OS/VM interaction problem remained suspected.
- The core finding was that the instability occurred when VMs were run from a directory secured by FileVault encryption.
## Threat Actors
- **None identified.** The issue is characterized as a software bug/configuration flaw related to the interaction between VMware Fusion and macOS encryption, not a malicious threat actor or campaign.
## TTPs
- **T1059 (Execution/System Interaction):** Unstable interactions related to VM pausing/unpausing (`pause a vm`).
- **T1480 (System Integrity/Data Loss):** Caused repeated loss of user data (Firefox profiles, OS X preferences) due to system crashes.
- **Configuration Specific Failure:** Failure related to memory mapping (`mmap`) operations on encrypted volumes.
## Affected Systems
- **Platform:** macOS (OS X)
- **Virtualization Software:** VMware Fusion (Versions 43733, 48339, 50460)
- **Specific Condition:** Virtual Machine images stored on a FileVault encrypted directory.
## Mitigations
- **VMX Configuration Fix (Temporary):** Adding the following line to the machine's `.vmx` configuration file resolved the crashes, though pause/unpause times became slower:
mainMem.useNamedFile = "FALSE"
- **Preferred Resolution:** Moving VM guest images to a non-encrypted drive resolved both the crashing and the slow performance issues entirely.
- **Information Gathering:** Consulting VMware forums and engaging with support for debug information.
## Conclusion
This incident highlights a critical stability flaw in VMware Fusion configurations involving FileVault-encrypted volumes. While not a targeted attack, the impact was severe (system crashes and data loss). The immediate solution involves either modifying the VMX configuration or, preferably, relocating VM images off encrypted storage until a permanent software patch addresses the underlying memory mapping conflict.