VMware addresses ESX source code leaks with accelerated security patches

Five vulnerabilities patched that could have allowed an attacker to execute code on the virtual host server

At the end of April, Iain Mulholland, director of the VMware Security Response Center, announced that some of VMware's confidential source code for the ESX hypervisor had been leaked and a single file had been posted online. That same day, Kaspersky Lab's ThreatPost blog pointed to a hacker calling himself "Hardcore Charlie" as the person who leaked the VMware ESX hypervisor files.

At first, the full extent of the situation was unclear. Could this leak affect virtual data centers and cloud environments around the world, or would it end up being just a minor blip on the radar screen? The specifics of the leaked code are still in question, but the availability of ESX source code out in the wild could potentially give hackers a better chance to find undiscovered vulnerabilities in the company's hypervisor technology. The seriousness of this exposure depends on the level of code audit performed.

[ Also on InfoWorld: Find out about 5 free tools for VMware View VDI admins to try. | Read about how Microsoft targets iPad, Android users with tablet virtualization license fee. | Keep up on virtualization by signing up for InfoWorld's Virtualization newsletter. ].

VMware's initial stance on the source code leak was discouraging. In his initial blog post, Mulholland seemed to downplay the event. He stated that the leaked code dated back to the 2003-2004 timeframe, and since VMware had made many revisions to the code in the years that followed, it seemed like a good possibility the leaked code could have been deprecated along the way, reducing any negative security affects it might have. Mulholland also tried to calm fears by saying, "The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers."

Now almost two weeks after the initial announcement, we may not be the wiser as to the exact source code leaked, but we are witness to VMware living up to their promise of making sure its customers remain secure.

On Thursday VMware issued a new security update that further referenced the recent source code leak event. Along with that update came a host of new critical security patches for a number of affected VMware products. Those products include VMware ESX and ESXi hypervisor versions 3.5, 4.0, 4.1, and 5.0, as well as two of VMware's client products: Workstation and Player.

The announced patches address five "critical" security issues across each of these platforms. The security advisory describes remote procedure call (RPC), network file system (NFS), and SCSI device vulnerabilities that could enable an attacker to execute code on a virtualized host, a virtual administrator's worse nightmare. Even more alarming, root- or administrator-level permissions are not required to exploit some of these vulnerabilities.

"By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected. As is our practice, VMware will continue to assess any further security risks, and will continue to provide updates and patches as appropriate," stated VMware.

1 2 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies