Was just alerted to a security alert about VMWare that came out last week, by colleague Josh More. If you have 64 bit Windows or BSD running in a VM on ESX 3.5 or ESXi 3.5, AND you have untrusted users with program execute privileges on these guests you should the following alerts:
And
Derek Soeder’s in depth write up of the flaw and the ramifications
Basically here’s the use cases of ESX that I can think of where you would want to be concerned. These are use cases where the possibility of untrusted users exist. There are probably more, so feel free to add them if you think they are important.
- 64 bit XenApp or Presentation Servers
- VDI-type environments with 64bit XP or Vista Guests
- Hosted Cloud environments with 64-bit Windows/BSD guests. You might want to patch the environment for your customer in this case.
- Compute farms with 64bit Windows/BSD guests as the compute platform running God-knows-what for money.
- Enthusiasts hacking ESX and Max OS X Leopard to run as 64bit VM.
Just kidding, and not really sure if Mac’s version of BSD is vulnerable to this flaw, but I include for a little Monday morning humor.
One thing I would like to point out to the overzealous security guys in the crowd is that although this is an important security flaw, it highlights one of virtualization’s key strengths: encapsulation. Although the guest OS can be compromised by exploiting this flaw, it does not allow you to directly affect the security of remaing VMs on that same ESX server because the VM is encapsulated within the hypervisor’s software.
Add New Comment
Thanks. Your comment is awaiting approval by a moderator.
Do you already have an account? Log in and claim this comment.
Add New Comment
Trackbacks
(Trackback URL)