I got into a bit of a heated debate last night concerning whether the threat of hackers exploiting ESX flaws to break out from one host system to exploit another was a real issue or just fearmongering. Now I’m always up for a bit of mongering especially when fear or scare are added to it so I was on the side of hackers utilizing flaws to attack the wider infrastructure.
My esteemed colleague Steve* was rather determined that these kinds of breaches, whilst theoretically possible, was something that would not really happen. Kind of like every one waiting for the end of the World because some Swiss scientists built a big circular pipe with a few atom guns in it. Something could happen, but it’s not worth buying the local supermarket out of their tinned goods yet.
The thing is, he’s right on the money here. Whilst it has been shown as something possible and an exploit released (although on the cheaper desktop versions of VMware) nothing has really been seen out in the wider World. So why was I on the side of mongering you may ask?
Because although breaking out from one VM to another is really rather difficult utilizing the underlying hypervisor, why would a hacker bother doing that? They would happily look for those hundreds of machines that have sprung up from nowhere without consent from Ops or Security, that are never patched, checked for security parameters and probably all have the same admin credentials. They would break into those, rob all the good stuff and then use the IP network to look for other targets, irrelevant of whether they are physical or virtual and break out anyway. They don’t need to do all the clever stuff to breakout, they’ll use they network and myriad of poorly configured systems to springboard from one machine to another.
I’ve got a great example of this. I was working onsite with a rather large vendor partner, getting our solution up and running in their demo lab so that they could show their clients how lovely both of our technologies are. As I’m clicking through the install, pretending I know what I’m doing, my RDP connection got dropped to the demo lab system I was working on. Spinning around on my chair I asked what was going on. One of the engineers from a few desks down rather sheepishly tells me “We’ve just realised that none of the demo vmware images have AV installed and we’ve picked up a virus.” True story, if you buy me a pint I’ll even name and shame.
My point is, why worry about something theoretical when you are missing so much anyway? Good security is not about trying to figure out exotic ways to protect that 1% chance; it’s about ensuring that you have a good level of security for the other 99%. Whilst VM breakouts are a theoretical threat, poorly configured systems makes it pretty pointless to use that approach anyway and will use the flaws you’ve introduced by not having control of your ever increasing vm library.
*Names not changed to belittle the guilty.