To fully understand the impact of the April 23rd code leak from VMWare, we must first understand where the functional code originates. The code leak is being said to have come from the hyper-visor portion of VMWare’s software package. The hyper-visor is responsible for the ability of many virtual machines to be able to run on one physical platform. The hyper-visor relays to each guest operating system, such as Windows Server 2008 or Windows Server 2003, hardware information as if each virtual machine had its own separate set of hardware. The hyper-visor will act like a network router to the guest virtual machines when it comes to the hardware of the physical server that the virtual machines reside. The hyper-visor will constantly regulate access for the virtual machines to the physical hardware so that the guest virtual machines do not over-allocate the physical hardware. So as you can see, the hyper-visor is a very important and very active part of the VMWare software package. The functionality of the hyper-visor is where a security leak of this nature could be an issue, as the hyper-visor will communicate with multiple virtual machines and if there were bugs, could ultimately affect multiple virtual machines. We will explain more on this in a moment.
There are a few different attack types in the virtualization landscape. There are Management attacks, Escape the VM attacks, Driver attacks, Direct Hyper-visor attacks, and Storage attacks. Of course, the big question mark is whether any of these attacks will be made more accessible with the release of this code. A great explanation of these attacks and their potential effects is given by Texiwill who blogs for VirtualizationPractice.com. Also included are ways to combat vulnerabilities in your virtualization environment. Following best practices is probably the best and most effective way to combat attacks and optimize performance. However, most security experts do not believe that this code leak will raise the ability for attack, as the code is believed to come from the 2003-2004 timeframe. The majority of environments should be upgraded well beyond this point.
My Segue colleague, Chad Andersen provides these additional thoughts on the VMWare code leak. “VMware is Linux (kernel is open source). They have added extra ‘features’ to the system that they want to keep private (competition reasons), but they mentioned here that they do release the source code. VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today.” The age of the files suggest it is pre ESX3 – see timeline – since ESXi wasn’t out yet and has been dramatically changed from ESX (further reducing the security threat). In Chad’s opinion, Linux based systems are the most secure and the source code to most is available (Example from 2008).
In summary, this does not appear to be a serious leak, and most technicians are not very concerned. VMWare has released patches since the incident and to our knowledge none of them address the hyper-visor solely. Therefore, we believe this to not be a big deal either. If the hackers decide to release more code at a later time (if they have more) then we will find out more about the nature of this security threat. In the meantime, the best advice we can give is to keep your systems patched and follow best practices
