VMware addresses ESX source code leaks with accelerated security patches

At the end of April, Iain Mulholland, director of the VMware Security Response Center, announced that some of VMware’s confidential source code for the ESX hypervisor had been leaked and a single file had been posted online. That same day, Kaspersky Lab’s ThreatPost blog pointed to a hacker calling himself “Hardcore Charlie” as the person who leaked the VMware ESX hypervisor files.

At first, the full extent of the situation was unclear. Could this leak affect virtual data centers and cloud environments around the world, or would it end up being just a minor blip on the radar screen? The specifics of the leaked code are still in question, but the availability of ESX source code out in the wild could potentially give hackers a better chance to find undiscovered vulnerabilities in the company’s hypervisor technology. The seriousness of this exposure depends on the level of code audit performed.

[ Also on InfoWorld: Find out about 5 free tools for VMware View VDI admins to try. | Read about how Microsoft targets iPad, Android users with tablet virtualization license fee. | Keep up on virtualization by signing up for InfoWorld’s Virtualization newsletter. ].

VMware’s initial stance on the source code leak was discouraging. In his initial blog post, Mulholland seemed to downplay the event. He stated that the leaked code dated back to the 2003-2004 timeframe, and since VMware had made many revisions to the code in the years that followed, it seemed like a good possibility the leaked code could have been deprecated along the way, reducing any negative security affects it might have. Mulholland also tried to calm fears by saying, “The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers.”

Now almost two weeks after the initial announcement, we may not be the wiser as to the exact source code leaked, but we are witness to VMware living up to their promise of making sure its customers remain secure.

On Thursday VMware issued a new security update that further referenced the recent source code leak event. Along with that update came a host of new critical security patches for a number of affected VMware products. Those products include VMware ESX and ESXi hypervisor versions 3.5, 4.0, 4.1, and 5.0, as well as two of VMware’s client products: Workstation and Player.

The announced patches address five “critical” security issues across each of these platforms. The security advisory describes remote procedure call (RPC), network file system (NFS), and SCSI device vulnerabilities that could enable an attacker to execute code on a virtualized host, a virtual administrator’s worse nightmare. Even more alarming, root- or administrator-level permissions are not required to exploit some of these vulnerabilities.

“By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected. As is our practice, VMware will continue to assess any further security risks, and will continue to provide updates and patches as appropriate,” stated VMware.

While the security post directly referred to the code leak incident, it wasn’t clear as to the exact relationship between the newly announced vulnerabilities and the leaked source code file. Instead, VMware decided to frame the security discussion in a different way, making it sound as though the updates were part of the company’s regular patching program. VMware stated: “In light of the current circumstances, we have accelerated our most recent security patches and applied them to all affected currently supported products.” The virtualization giant said these specific product releases may be exposed to increased risk, and they encourage all customers to view the security links to determine if appropriate patches are available for products in their environment.

As part of this security advisory, VMware also gave credit to Derek Soeder, a security researcher at Ridgeway Internet Security, for identifying some vulnerabilities. Soeder evidently reported two host memory overwrite vulnerabilities affecting ESX and ESXi to VMware back in December of 2011. He publicly raised security concerns in a blog post on March 30: “VMware High-Bandwidth Backdoor ROM Overwrite Privilege Elevation.”

To date, VMware has been fortunate enough to remain below the radar from a security standpoint. The multi-billion-dollar cloud and virtualization software company hasn’t had to deal with the amount of security attacks that have plagued Microsoft on the operating system side of the fence. But when VMware has been faced with security challenges, the company has done a good job of alerting customers and making patches and updates available to address the security issues.

Whether or not the hacker(s) involved with stealing the VMware source code actually make good on the threat to leak more information, at the end of the day, one thing is clear: When VMware releases patches and updates that are marked as “critical,” don’t blink. VMware customers shouldn’t take any chances with their virtualized infrastructures. In a physical environment, hackers have to concentrate on hacking individual servers or individual applications. But when you use server virtualization, a hacker can sometimes get away with entry to a single point of access to get at everything.

For now, worry less about the “what ifs” of leaked source code and worry more about known vulnerabilities, making sure to keep current on your patching levels.

Are you patched and up-to-date? If not, what are you waiting for? How concerned are you about the source code leak? Do you think VMware has it under control?

This article, “VMware addresses ESX source code leaks with accelerated security patches,” was originally published at InfoWorld.com. Follow the latest developments in virtualization and cloud computing at InfoWorld.com.