VMware Source Code Leak Reveals Virtualization Security Concerns
When virtualization technology giant VMware admitted last week that some of the confidential source code for its ESX hypervisor had been leaked, the world didn't quite know whether this was a bombshell or something barely worth raising an eyebrow about.
The story behind the leak is this: a hacker known only as "Hardcore Charlie" claims to have infiltrated the systems of the China National Import and Export Corp and got his hands on 300MB of the hypervisor source code. (It's not uncommon for VMware to share its code with other companies involved in server virtualization to enable them to develop complementary products, according to VMware.) Hardcore Charlie reportedly posted samples — which date back to 2003 — on the code sharing site Pastebin, and says that more will be posted in the future.
So on the one hand we've got an unknown amount of source code out in the wild, which is bad. But on the other hand the code is pretty old, which makes it less serious.
VMware's official line is hardly encouraging, though. "The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers," is how Iain Mulholland, a VMware security spokesman, put it. It may not be a big deal, in other words, but on the other hand it might be.
The whole sorry affair should remind us about a dirty little secret that's rarely mentioned: when you get into bed with VMware — or any other virtualization technology vendor, for that matter — you are entering a world of uncertain security. The fact that hackers may now have access to out-of-date source code, and might be trawling through it for possible vulnerabilities that still exist in the current version of the code, just adds a fraction more security uncertainty.
Here, in a nutshell, is the problem: in a physical environment, hackers have to concentrate on hacking individual servers, individual applications and individual databases. But when you use server virtualization, things are different.
"With VMware, everything is managed in a single layer, so if you can access the virtualization layer, you can access every virtual machine, the virtual networking and the virtual storage," says Eric Chiu, president of HyTrust, a company that provides security and compliance controls for VMware. This creates the potential for collateral hacking, in which the data of multiple companies could be at risk of being compromised in a security breach.
"In the physical construct, a hacker has to pick one area, a specific app, know the IP address of the server running the app, and then he has to get login credentials or some other way in. With virtualization, you just need a single point of access to get at everything," Chiu adds.
Chiu illustrates this with some real examples of companies coming undone in an environment that uses virtualization technology: a rogue network engineer who deleted a number of virtual servers after he was fired from Gucci, costing the company about $200,000. Or a former IT staffer at pharmaceutical company Shionogi, who logged on to a VMware management console from a McDonald's restaurant and systematically deleted 88 VMs responsible for email, order tracking, financials and other services, from 15 VMware hosts, causing around $800,000 of damage.
Now clearly Chiu has an interest in talking up the dangers of virtualization technology — his company sells products that aim to make it safer. But it is worth bearing in mind that nothing in life is free, and the undoubted benefits of virtualization technology don't come without certain concomitant risks.
Paul Rubens is a technology journalist and contributor to ServerWatch, EnterpriseNetworkingPlanet and EnterpriseMobileToday. He has also covered technology for international newspapers and magazines including The Economist and The Financial Times since 1991.
Read more on "Server Virtualization Spotlight" »