Not Much Hyperventilating Over Hacker’s Hypervisor Code Theft

A hacker with the handle “Hardcore Charlie” has stolen source code for VMware’s ESX hypervisor and posted it on the Internet.

A hypervisor provides a virtualization layer between operating systems and the underlying hardware, creating a virtual machine (VM). This lets users run multiple virtual machines on one processor. Hypervisors are key to virtualization and cloud computing.

Hardcore Charlie claims he obtained the code for the VMware Kernel and the TraceViz GUI (graphical user interface). He’s promised to post more VMware source code on the Internet in May.

VMware stated that a single file from the ESX source code had been posted and that it dates back to about 2003 to 2004. It said customers may not face an increased security threat. The company is investigating the theft.

What the Hacker Stole

The VMware documents appear to have been obtained by Hardcore Charlie during an attack on Beijing-based China National Electronics Import-Export (CEIEC) last month.

About 1 terabyte of data was pilfered in that raid, Hardcore Charlie told Kaspersky Labs. He apparently has about 300 MB of VMWare source code.

CEIEC has denied that it had been hacked by Hardcore Charlie. This led the hacktivist to release more documents, including U.S. military data.

The Danger of TraceViz

TraceViz lets developers annotate source code with trace points that carry an ID, a class and some data, and then view the sequence of events later in a Java GUI, Hardcore Charlie said.

TraceViz appears to be a combination of the Traceroute computer network diagnostic tool and a GUI.

Traceroute is available on most operating systems. In Windows, it’s named “tracert”; the PathPing tool in Windows NT has similar functionality. Linux installations offer a variant of the tool known as “tracepath.” In IPv6, the tool is known as “traceroute6.”

It’s easy to get live data over the network by using TraceViz on a computer connected to a remote host, Hardcore Charlie said.

VMWare and Security

More than 50 percent of enterprise data centers are virtualized, and that makes virtual infrastructure a prime target for attack, said Eric, Chiu, president and founder of HyTrust.

So, “the theft of VMware ESX source code … is no surprise,” Chiu told TechNewsWorld. “Without securing the virtual infrastructure, enterprises are leaving a huge area of their datacenter open to attack.”

VMWare offers customers security in various ways. It launched vShield, which offers protection from network-based threats in virtual data centers, at VMWorld 2010.

Earlier this month, antivirus vendor McAfee launched its Management for Optimized Virtual Environments (MOVE). This integrates with VMWare vShield Endpoint, which protects VMs.

Sometimes Code Is Just Code

The stolen ESX code may not pose much of a threat to users of VMWare’s products. Back in 2007, VMWare unveiled ESX Server 3i, the successor to ESX. The ESX Server 3i product evolved into ESXi, and VMWare has been urging customers to migrate to it from ESX for greater security and improved manageability.

Further, “a potential exposure isn’t an exploit,” Rob Enderle, principal analyst at the Enderle Group, pointed out. “We have thousands of potential exposures identified every month across all platforms, and the industry has learned to deal with these issues reasonably well over the last decade.”

Although any threat will likely be most pronounced in cloud deployments, “these solutions tend to be a bit more resilient than most,” Enderle told TechNewsWorld. “Right now, this is more of a nuisance than anything else, someone looking for their 15 minutes of fame.”

VMWare did not respond to our request for comment for this story.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels