Attacks/Breaches
4/26/2012
11:23 AM
50%
50%

VMware Breached, More Hypervisor Source Code To Come

Hacker Hardcore Charlie reveals stolen VMware source code and documents from Asian defense contractors, promises more disclosures in May.

Is your hypervisor safe?

Hypervisors--such as VMware ESXi and Xen--provide the platform on which virtualized guest operating systems run, and are therefore a core component of any business's virtual infrastructure. But they're also a potential security weak point. A 2010 study from IBM, notably, found that 35% of all vulnerabilities in a virtualized environment could be traced to the hypervisor.

Those vulnerabilities are cause for concern in the wake of VMware's Monday confirmation that source code dating to 2003 and 2004 had been publicly released by a hacker billing himself as Hardcore Charlie. Furthermore, he said the release was a "sneak peak" of the 300 MB of VMware source code he said is in his possession, which he said will be publicly released May 5.

Iain Mulholland, director of the VMware Security Response Center, said in a Monday blog post that the company's security team had confirmed that a file containing VMware ESX source code had been published. He promised that VMware would update its customers as it learned more.

[ Defense gets you only so far. Learn Why Security Teams Need To Play More Offense. ]

VMware now ships a more lightweight, embedded version of ESX, dubbed ESXi, on new servers. Both ESX and ESXi are "bare-metal embedded hypervisors," meaning they run directly on server hardware. Might Hardcore Charlie's public look into the inner workings of the VMware hypervisor create security repercussions for ESXi customers, for example if hackers were able to identify exploitable zero-day vulnerabilities in the ESX code?

Multiple security researchers contacted for this story declined to comment, with one saying that he'd first need to see the stolen source code to understand the potential threat. But one hypervisor security worry has been "escape to hypervisor" attacks. No such attacks have yet been seen in the wild. But security experts predict they will happen in the future, and would allow an attacker to escape from a given virtualized machine and potentially access any other virtual machine running on the same server.

VMware, however, is downplaying any security threats that might result from the source code disclosure. "The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers," Mulholland said. "VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today." He also confirmed to Threatpost that some of the documents leaked by Hardcore Charlie appeared to be source code review documents, which would have been used to help describe to VMware insiders, as well as with business partners.

Charlie said he obtained the VMware kernel source code via March attacks against China Electronics Import & Export Corporation (CEIEC). He said he'd also attacked--and still had access to--China North Industries Corporation (Norinco), WanBao Mining, Ivanho, and PetroVietnam. Earlier this month, he released a preview of stolen information via Pastebin, as well as images of multiple documents, some of which appear to be Chinese intercepts of U.S. military transportation documents pertaining to Afghanistan.

But CEIEC released a statement denying its systems had been breached, saying that "the information reported is totally groundless, highly subjective, and defamatory." The company also said that it "reserves the right to take legal action against the relevant responsible individuals and institutions."

Charlie, however, told Threatpost via IRC (Internet relay chat) that he breached CEIEC by first stealing hundreds of thousands of encrypted credentials for Web-based email accounts at Sina.com. He said he then reached out to hacker Yama Tough--who released Symantec source code in January--to help crack the credentials. At that point, he and a group of hackers began looking for accounts of interest.

Charlie promised that a full-scale document dump, involving at least 1 TB of data, would also occur on May 5, including a "complete CEIEC stash of documents." He said that while they were still reviewing the documents' contents, they'd also made a number of interesting discoveries. "We want to make it clear that CEIEC is engaged in a criminal activity with Ukraine and Russian officials as of supplying Ukraine and Russia with U.S. Army information for the terrorists," he said in the Pastebin post. "In Ukraine Chinese security services enforce illegal copper mine deals through corrupted KGHMPM [KGHM (Shanghai) Copper Trading Company] officials and in Russia through Gazprom subsidiary companies."

The preview release, as well as promise of more to come, shows that even after the arrests of multiple alleged LulzSec and Anonymous participants, the practice of "doxing"--obtaining and releasing internal company and government agency documents--remains alive and well. In fact, a "hola lulz" aside in Charlie's Pastebin post makes an overt nod to previous doxers.

Charlie told Reuters that he's a 40-year-old Hispanic man living in a country located close to the United States, and that he was a friend of LulzSec leader Hector Xavier Monsegur, a.k.a. Sabu.

InformationWeek is conducting a survey to determine what's important to you when you're choosing vendors of security information and event management (SIEM) products as well as how the vendors are actually doing against those criteria. Upon completion of our survey, you will be eligible to enter a drawing to receive an 16-GB Apple iPad. Take our Security Information And Event Management Vendor Evaluation Survey now. Survey ends April 27.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RAMLETH000
50%
50%
RAMLETH000,
User Rank: Apprentice
4/29/2012 | 1:02:10 AM
re: VMware Breached, More Hypervisor Source Code To Come
Anyone remember a few years back when there was some question as to whether VMware had used parts of Linux for their ESX hypervisor without contributing back to the community? VMware always denied this, but doubts lingered. With parts of the source code available and more on the way, the community can take a look for themselves. I wonder if anyone will.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?