VMware source code leak: 'IT equivalent of the Deepwater Horizon oil spill'
VMware has confirmed that a portion the the source code for its ESX hypervisor was compromised, although the code dates back as early as 2003. That said, a fairly significant portion of the company's customers are still using the platform as VMware works to push them towards its newer hypervisor called ESXi.
A hypervisor in the simplest terms is a virtual machine management platform on which several virtual machines can run concurrently. The hypervisor controls the sharing of virtualized hardware resources. ESXi has a far smaller attack surface, which limits the available avenues of attack on a installation.
The code was posted to Pastebin by a LulzSec-related hacker who goes by the handle "Hardcore Charlie" on April 8. The breach was part of a larger effort by the hacker which compromised the servers of the Beijing-based China National Import & Export Corp (CEIEC). The hacker says he was looking for information on the US military's efforts in Afghanistan.
Adding insult to injury, VMware says it is aware that additional code disclosures may occur, but attempted to downplay any damage. "VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today", the company's Security Response Center director Iain Mulholland says.
Given the sometimes glacial pace the enterprise moves when it comes to updating software, this week's confirmation of the breach should provide some impetus to those still using the ESX hypervisor. While this particular code may check out and be free from holes, there's no assurance future code disclosures will be equally bug-free.
Mulhollland says the company is conducting both an internal and external investigation of the breach, and will share further details as they become available.
Paul Roberts, blogger with Kaspersky Lab's ThreatPost, calls the breach the "IT equivalent of the Deepwater Horizon oil spill disaster", pointing to the fact that VMware itself cannot rule out that its own source code repository may have been hacked.
Roberts is not referring only to the VMware code, but a chunk of other sensitive data that has "bubbled up" from the CEIEC breach, including sensitive information on US military operations in Afghanistan, and a host of internal communications from Chinese companies through an associated breach of Chinese e-mail hosting company Sina.com.
Photo Credit: US Coast Guard