Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:08 AM
Connect Directly

'Virtual' Vulnerabilities About to Become Reality

Virtualization bugs may be rare, but they are only the tip of the iceberg

Hypervisors gone bad. Malware spreading from one virtual machine to another. Virtualization-based rootkits evading detection. Such threats look scary on a PowerPoint slide, but are they worth losing sleep over tonight?

Probably not, experts say. Virtualization is still in its early stages of deployment, so most security threats to virtualized environments are either too futuristic or theoretical for most enterprises to digest. Few virtualization vulnerabilities have been disclosed publicly.

But that doesn't mean you won't lose some sleep down the road, security experts say. (See VMs Create Potential Risks.)

"This [virtualization] is a major tectonic shift in how we provision, deploy, manage, and secure resources," says Christofer Hoff, chief architect for security innovation at Unisys. "There is an assumed risk with virtualization."

The relative dearth of virtual machine bugs has more to do with researchers only just starting to zero in on this technology, Hoff says, and the fact that most deployments have mostly been internal, rather than externally-facing. "But once you see them show up in production, and become external-facing... There will be exploits."

There are some real threats today as well, such as a "rogue" VM images accidentally -- or maliciously -- landing on a production machine, an "exploit" that Hoff has witnessed firsthand.

Virtualization is expected to take off within the next few years. According to Gartner, 70 percent of large organizations plan to use virtualization by 2010 to collapse some or all of their DMZs.

This is only the beginning, experts say. Microsoft last month patched a so-called "elevation of privilege" bug in its Virtual Server and Virtual PC software. This would let an attacker run code on the host operating system if he were to get malicious code running on the guest OS.

Microsoft says it's trying to catch potential threats before it puts out new virtualization-based software. "The threat is very real and something we are taking very seriously," says Brandon Baker, security development engineer for Microsoft. "For Windows Server virtualization within Windows Server 2008, we’ve invested in developing extensive threat models to think about ways attacks could manifest themselves, and [we] are validating our code against these hypothetical attacks."

"We want to find and fix as many of these bugs as possible before they ever ship or can be exploited in public. We have to be ahead of the curve on virtualization security," Baker says.

Virtualization bugs are typically complex and tough to find, Baker observes, and the industry needs better tools to assist researchers. "As an industry, [we need to] do more to develop new tools and adapt existing ones to find these sorts of bugs early, because ultimately, they will become more interesting to people looking to exploit systems."

And vulnerabilities aren't the only things that can make a virtual environment prone to attack: Some virtualization product features themselves can be exploited to launch an attack. A vulnerability in VMWare's scripting-automation API, for instance, lets a malicious script on the host run programs and compromise guest OSes, according to security consultant and researcher Mark Burnett.

Still, a lot comes down to how you configure a VM. "There are insecure ways to configure everything," says Thomas Ptacek, principal with Matasano Security. You have to be careful how you migrate to VMs, where you store them, and that you segment them as needed: "High sensitivity apps with customer information and credit card data should not be on the same iron as a VM to test a new application."

Microsoft's Baker says any feature or vulnerability that could compromise guest-to-guest isolation in Windows Server virtualization "gets fixed or cut."

"The last thing I ever want to hear as a security engineer is 'it's a feature, not a vulnerability,' " Baker says. "Any remaining channels we expose from the host into guests, such as VMBus in Windows Server virtualization, are treated as potentially hostile and undergo rigorous analysis and testing."

So far, there have been no reports of major exploits or attacks on hypervisors yet, says Allwyn Sequeira, senior vice president of product operations for Blue Lane Technologies. "I don't know a single case where a customer has talked to [us] about being attacked," he says. "More recently, they are asking us whether we protect the hypervisor."

For now, it's the calm before the storm, experts say. "Five years from now, every machine will be virtualized," argues Matasano's Ptacek. "It's that important, and we need to take this more seriously."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Microsoft Corp. (Nasdaq: MSFT)
  • Gartner Inc.
  • Unisys Corp. (NYSE: UIS)
  • Matasano Security LLC
  • Blue Lane Technologies Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 11/19/2020
    New Proposed DNS Security Features Released
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
    How to Identify Cobalt Strike on Your Network
    Zohar Buber, Security Analyst,  11/18/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: A GONG is as good as a cyber attack.
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-11-24
    An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions...
    PUBLISHED: 2020-11-24
    Cross-site request forgery (CSRF) vulnerability in GS108Ev3 firmware version 2.06.10 and earlier allows remote attackers to hijack the authentication of administrators and the product's settings may be changed without the user's intention or consent via unspecified vectors.
    PUBLISHED: 2020-11-24
    Untrusted search path vulnerability in the installers of multiple SEIKO EPSON products allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
    PUBLISHED: 2020-11-24
    includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator.
    PUBLISHED: 2020-11-24
    The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll.