VMware patches spotlight growing virtualization security risks

Experts warn that threats will escalate as companies migrate to the cloud

EMC VMware recently rolled out an update to its vSphere API, aimed at fixing a denial-of-service vulnerability in ESX and ESXi. The company also updated the ESX Service Console to include several open-source security updates.

If companies don't apply the API patch, they leave the door open for unauthenticated users to send malicious API requests and disable the host daemon, according to VMware. This exploitation could prevent management activities on the host; however, VMs running on the host would not be affected.

"This really shows how vulnerabilities can be exploited, and how important it is to secure today's virtualization and cloud environments; after all, this is the new 'OS' of the data center and provides access to the virtual machines, the virtual network, and mission-critical enterprise applications, and the virtualized storage resources as well," said Eric Chiu, president and founder of virtualization security company HyTrust. "Given this, virtualization is a prime target for breaches and attacks -- especially the management plane, which is the easiest way to exploit a virtualized environment and get the 'keys to the kingdom.'"

Beyond the API fix, VMware issued updates to the ESX Service Console, addressing multiple security issues with the console's python packages, expat package, and nspr and nss packages. Among them, it resolves a certificate trust issue caused by a fraudulent DigiNotar root certificate. The fix relates to the infamous DigiNotar security breach that occurred in July 2011, resulting in a malicious hacker using the company's certificate authority infrastructure to issue hundreds of rogue digital certificates for high-profile domains.

It's been a rough November for VMware, securitywise. Earlier in the month, the company warned that a hacker had exposed the company's ESX hypervisor source code. The source code was from 2004 and related to other code released in April, according to Iain Mulholland, VMware's director of platform security.

Reports of security flaws in virtualization software have steadily increased over the years as more companies embrace the technology, proving a juicy target for malicious hackers -- and VMware isn't the only target. Last June, for example, the U.S. Computer Emergency Readiness Team issued a security warning that some 64-bit operating systems and virtualization software running on Intel CPUs could be vulnerable to a local privilege escalation attack; the vulnerability could be exploited for local privilege escalation or a guest-to-host virtual machine escape. According to InfoWorld blogger David Marshall, that vulnerability was particularly noteworthy in that it didn't just affect a single vendor, but rather a number of different 64-bit hypervisors and OSes based on the type of processor they were operating.

In a similar vein, computer scientists from the University of North Carolina, the University of Wisconsin, and RSA Laboratories recently released a paper (PDF) outlining how they devised a virtual machine capable of extracting private cryptographic keys stored on separate VMs residing on the same piece of hardware.

Security risks are going to continue to escalate, according to the SAN Institute, as more companies transform their virtualized infrastructure into private clouds, where internal shared services running on virtualized infrastructure. Security architecture, policies, and processes will need to adapt to work within a cloud infrastructure, according to the group.

This story, "VMware patches spotlight growing virtualization security risks," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.