Saturday, April 11, 2009

Here it is, that potential vulnerability now is true

Run code on the host from a VM. That was something that everybody who had taken virtualization with a grain of salt when talking about security has been talking about. Today VMWare is releasing a patch for a vulnerability that allows that to take place. Scary.This is a reminder for you to avoid excessive resource sharing by VMs from different trust levels, like DMZ and internal servers. When you put VMs from different isolated network segments running in the same host you are creating a potential bypass for the whole network segmentation infrastructure.Additionally, it's interesting to think about the implications of having your VMs running on a cloud service provider, together with VMs from other organizations. As we don't know about their security posture it's better to assume they are owned, for security planning purposes. That means that if the service provider does not patch his host systems in time your VMs will be owned too. So, what's the policy of your cloud services provider about these issues? Time to ask them.
I've just seen a very nice video showing an exploit for this vulnerability in action. Check it here.

No comments:

Post a Comment