VMware Code Leak Highlights Security Concerns Around Virtualization

The hacker who posted the code from VMware’s ESX hypervisor on the Internet has said more code will be leaked, though VMware is downplaying the risk to customers.

The leaking of VMware hypervisor source code onto the Internet is turning attention again to the issue of security in virtualized environments.

VMware officials this week confirmed that some source code from the company€™s ESX hypervisor technology and written commentary from software programmers were posted on Pastebin.com. Officials with the virtualization software company first discovered the leaked code April 23, and Iain Mulholland, director of VMware€™s Security Response Center, in an April 24 post on the company€™s blog tried to allay fears about the extent of the threat the leaked code posed to customers.

"The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers," Mulholland wrote. "VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today.€

He noted that source code and associated commentary dates back to 2003 and 2004. In addition, Mulholland said there was a €œpossibility that more files may be posted in the future.€ VMware is looking into the situation. €œWe take customer security seriously and have engaged internal and external resources, including our VMware Security Response Center, to thoroughly investigate,€ he wrote.

In question is where the leaked source code came from. As Mulholland noted, VMware shares such code with others in the industry, implying that the leak didn€™t necessarily come from VMware.

In a posting April 24, Kaspersky Lab€™s ThreatPost blog pointed to a hacker calling himself €œHardcore Charlie€ as the person who leaked the files, and a Chinese company€”China Electronics Import & Export Corp. (CEIEC)€”as the probable source of those leaks. According to ThreatPost, the breach at CEIEC can be traced back to an attack on an email hosting company, Sina.com, where email accounts were compromised.

Communicating with ThreatPost via Internet Relay Chat (IRC), Hardcore Charlie said that with the help of other hackers, he has been able to crack the encrypted credentials to hundreds of thousands of Sina.com accounts. The hack of Sina.com gave the attackers access to a number of firms in the Asia-Pacific region, and they collected more than a terabyte of data from the companies. Hardcore Charlie told ThreatPost he downloaded more than 300MB of source code from VMWare.

CEIEC officials in a statement released April 4, before the VMware code had been leaked, denied that their systems had been compromised, calling the assertions in the media €œtotally groundless, highly subjective and defamatory.€

Hardcore Charlie also spoke with Reuters earlier this month, saying he was a 40-year-old Hispanic man in a country near the United States and was a friend of Hector Xavier Monsegur, the reported leader of the hacktivist group LulzSec, who became an informant for law-enforcement investigators. Authorities armed with the information from Monsegur€”a New York City resident who called himself €œSabu€ online€”arrested several top members of LulzSec last month.

In an interview with The Inquirer news site over an IRC connection April 26, Hardcore Charlie said the leak was done to highlight the need for greater discussion around security, not for profit. He also said he had a lot more VMware data that he will make public.

Tech companies and enterprises for several years have been talking about security concerns related to hypervisors, the technology that enables virtualization. In 2010, IBM officials, in their X-Force security report, said that while code vulnerabilities in virtualization were relatively few when compared with other software threats, 35 percent of such vulnerabilities are related to the hypervisor. A breach of the hypervisor could give attackers an opening to systems running on the same piece of hardware.

Also in 2010, researchers from CA released a report saying that even as the adoption of virtualization is growing, security in virtualized environments is lagging. Hypervisors were a particular concern, given that administrator accounts on hypervisors tend to have extensive access privileges with few limitations or security controls. CA€™s study found that 73 percent of respondents said they were concerned about the privileges granted to hypervisors and the potential for abuse by users with administrative control. However, 49 percent said they have not implemented any privileged user management or security log management systems to mitigate the risk.