Enterprise IT has its eye on VMware’s next move following its confirmation that ESX server source code was leaked by a hacker this week. The leak could pose a security threat to companies with virtual infrastructures based on vSphere.
The code, which dates to 2003 or 2004, was apparently stolen from “a variety of compromised Chinese firms,” according to a Threatpost report. The code was confirmed as genuine by the director of VMware’s Security Response Center in a blog post yesterday. Although only a single file has been released publicly, the hacker claims to have another 300 MB of source code and that the rest will be published May 5.
If the rest of the code is of the same vintage, it may not be much of a threat. In fact, providing a more secure hypervisor was a primary goal of the conversion over the last year from ESX to ESXi, a set of code with a much smaller attack surface. So far, no data has been published which indicates the ESXi hypervisor is involved.
But if the remaining code published May 5 is more current, and contains information that could allow hackers to access hosts from guests, it could potentially pose a security threat to enterprises as well as cloud service providers with infrastructures based on vSphere.
The worst-case scenario is that such a “VM escape” is found, but not published, according to Bob Plankers, virtualization architect with a large Midwestern university.
“There’s a lot of money to be made by hacking enterprises,” he said. “So VMware and their customers would be best served by an attitude akin to a race: who can find all the security holes first?”
The risk is probably not very high right now based on what’s been released, according to security expert Edward Haletky, CEO of The Virtualization Practice LLC. But “believe me, on May 5, I’ll be paying attention to what is released,” he said.
So far, escape-the-VM attacks have proven relatively toothless – none has been able to really do much to cross VM boundaries even when they have penetrated the hypervisor in experimental settings, Haletky said. If areas of the code having to do with the virtual machine manager leak out, it could help such an attack do more damage.
For now, it’s much easier to attack virtual machines through the management layers, and therefore much more common, Haletky said. Enterprises can protect themselves by following security best practices such as separating management networks from storage networks, fault tolerance and vMotion networks; limiting the footprint of VMs; effective network monitoring; and using early warning systems. But it’s something he says most enterprises don’t do.
“I think this may push more people to follow best practices because of the increased awareness,” he said.
IT pros shouldn’t expect this to be an isolated incident, according to Haletky. VMware and its competitors have become high-profile enough that their software is a juicy target for potential attackers.
“Years ago…we said we can’t say there won’t be a major incident involving one of the hypervisor vendors, whether it be VMware, Microsoft or even Citrix or Red Hat, and it’s going to be disastrous,” he said. “Does this raise the risk for VMware? Yes. As a company, absolutely.”