VMware Inc. has released a security advisory, warning users of its ESX 4.1 software that a vulnerability in the hypervisor could allow a local user to gain local privileges.
The company issued a patch, Monday,
Any vulnerability in a hypervisor is a serious concern because of the key role it plays in managing a virtualised computing environments. Researchers have been studying ways to attack a VM session via the hypervisor.
According to Tim Orchard, technical director at Hampshire-based pen testing company Activity Information Management Ltd., although this particular vulnerability could not be exploited remotely, there have been some vulnerabilities in the ESX remote management interface in the last year that have been successfully exploited during penetration tests.
Those vulnerabilities included one in the remote management interface for VMWare server which emerged in October 2009 and was not patched until February 2010. "We found this exposed in a customer's DMZ. So theoretically, if you compromised a Web server to gain access to the DMZ network, you could then use this vulnerability to further your exploitation," Orchard said.
However, Orchard said, the threats posed against the hypervisor are currently more theoretical than real. "By putting a number of servers on one device you do provide an attractive target to attack," he said. "There has been significant research into how to attack the hypervisor, but it has been difficult to exploit in the real world."
Orchard said organizations adopting virtualisation can adopt good practices to reduce risk. "Management interfaces to the virtual server are always a potential weakness and should not be exposed externally," he said.
In addition, Orchard said virtualised systems should not be used across security barriers -- for instance, they should not support servers on both sides of a firewall -- because any exploited vulnerability in the virtualisation software could then provide a path around the firewall.
"Like every server, virtualized systems need to be kept up to date with patches and hardened with no unused services running and default accounts disabled," he said. "And remember that not everything needs to be virtualised."