Some source code for an old version of ESX has been posted online; more is threatened. Everyone running this hypervisor should be a little bit nervous, but only a little.
Threatpost reported on an IRC chat with a hacker calling himself "Hardcore Charlie," who is associated with the LulzSec hacking group and Anonymous. The hacker claims to have broached the security at a number of Chinese companies and exfiltrated over a terabyte of data, with more added every day. "We are still sorting it out and still have access to the companies," he told Threatpost.
The hacker posted one ESX source file, dating from 2004, to the site pastehtml.com. (You can find links to the stolen material in ZDNet's coverage.)
The hacker, and the group he works with, claim to be pursuing evidence of Chinese complicity in worldwide computer break-ins. The data they say they lifted from the internal networks of CEIEC, the China Electronics Import & Export Corporation, and other Chinese companies, represents an extremely mixed bag of low-level military data and corporate correspondence and source code. "When it's all jumbled like that, I wonder if they're sitting on a TOR exit node and just assembling what comes out and calling it a dossier," security expert Richard Bejtlich speculated to Threatpost.
VMWare released a statement admitting that one source file of its code had been posted online, and taking note of Hardcore Charlie's promise to post more of it. But the company added, "The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers."
Of course they would need to say that, but it will not assuage the worry. Of the three hypervisors in wide use -- ESX, Xen, and KVM -- ESX was the only one whose source code was not public. While security experts differ over the question of whether open-source code is inherently more or less secure than proprietary code, customers who have widely deployed VMWare ESX must wonder and worry. Could hackers with access to the hypervisor source code locate exploitable security holes? It's possible but unlikely. A lot depends on how much the code has changed over the last 8 years.
Charles Babcock, writing in InformationWeek.com, discusses some research out of MIT and the University of California at San Diego. While uncorroborated by any other researchers, the work points to the possibility that one virtual machine might be able to glean information about what another is doing by watching and timing hypervisor activity. In the real world, "Amazon officials said EC2 operational characteristics were nothing like the lab circumstances where the keystroke detection and analysis allegedly worked."
Babcock informs us that Harris Corp. put together a Cyber Integration Center in Virginia to showcase technologies making the virtualized environment as bulletproof as it can be. They are closing the center after two years due to a lack of customer interest. "Extra security costs more, and there have no proven cases of compromised hypervisors," Babcock writes. "Harris's closed data center would seem to be a marketplace verdict that existing hypervisor security is good enough."
It may be good enough in the absence of the nightmare scenario: some VMWare ESX exploit that gives malefactors oversight or even control of multiple virtual machines by infecting the hypervisor. If this were to come to pass, every company that has deployed virtualization to aid their agility -- and that's all of them -- would be scrambling for, and paying for, ways to mitigate the risk.