DecryptedTech

Saturday28 May 2022

Security Concerns Pop-up From The VMware Breach and Not Just About the HyperVisor


Reading time is around minutes.

News_manstealingdataRemember the article that we posted a couple of weeks ago stating that one thing that Anonymous has done is highlight security concerns that corporations would rather keep hidden? Well it turns out that the recent hack on the China Electronics Import & Export Corp (CEIEC) through an outsourced email provider sina.com was all about highlighting security. We had said more than once that the outsourcing of information into the cloud creates a security hole that is miles wide. Still we see this happening more and more as it becomes “cost effective” to allow someone else to deal with security.

Credit for the hack was taken by someone that goes by the name of Hardcore Charlie. Hardcore Charlie says that the breach of Sina.com was with the help of others. This breach netted them hundreds of thousands of credentials for accounts hosted by Sina. From there they were able to allegedly grab over a terabyte of data from different companies.

So far the biggest payload they have released to the public is the VMware source code. VMware claims that the source code is nothing to worry about and is pretty old (from 2003-2004 according to VMware). Of course Hardcore Charlie says otherwise. If newer the source code could help malicious persons identify a weakness in the hypervisor that virtual systems run on. As it stands right now even compromising the OS on a host does not grant access to the guests on the system. This is even more true in systems where the image files for the guest systems are stored on encrypted storage. EMC, EqualLogix and others have encrypted storage devices that are often used to maintain data security, performance and also redundancy.

So losing a single host is not going to take down your virtual network. Where the problem would come in is if someone was able to find a way to use the hypervisor for direct access to the VMs or the VM storage. If they were able to use the ESXi CLI to launch a console giving them remote control to the guests that is something that we would need to worry about.

On top of this education and proper training rears its ugly head. Even in systems with all the right hardware and software updates too many systems administrators are not taking the steps needed to secure these systems. We have found in many companies that CLI (Command line Interpreter) for ESXi 5.0 is left on for ease of use, SSH is left open and everyone logs in using the root password! These are the types of things that should not be happening, yet time after time we see this.

We cannot stress this enough with everything that is happening and all of the FUD about Anonymous and their potential threat. IF companies would spend the money and time needed to properly train the employees that are responsible for their security this would not happen. Instead they cut back IT budgets, outsource to other companies (or even countries), and shovel millions of dollars into the government to try and pass laws that have little or nothing to do with security.

The last time I checked creating new and more restrictive laws do not make people suddenly stop doing anything (Prohibition comes to mind here). All it does is push things further underground and fosters the creation of larger organizations for protection and to pull off larger crimes. We do not know what other data Hardcore Charlie will release, but we do know that it is inevitable that more will be pushed out.

In the mean time anyone running VMware should be taking a long hard look at their security and not just passwords. This time you might want to check on everything from the edge of your network right down to the install on all of your hosts. Otherwise, you might find that not only all of your data is open to attack, but also all of the systems you run could be compromised and turned on you, or in the worst case, simply destroyed.

Discuss this in our Forum

Last modified on Sunday, 29 April 2012 17:53

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.