Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

VMWare Downplays ESX Source Code Leak

After an attacker recently leaked the source code for VMware’s ESX Server online, VMware downplayed the significance of the breach, saying the stolen code was outdated.

After an attacker recently leaked the source code for VMware’s ESX Server online, VMware downplayed the significance of the breach, saying the stolen code was outdated.

VMWare Source Code LeakThe perpetrator, under the name Stun, posted a link Twitter to a torrent site hosting the VMkernel source code on Nov. 4. ESX is a bare-metal hypervisor that manages virtual machines on physical servers, and precedes ESXi. The newer ESXi technology runs VMware agents on the VMkernel.

VMware’s director of platform security Iain Mulholland acknowledged the breach in a post on the VMware Security & Compliance blog Sunday.

“Our security team became aware of the public posting of VMware ESX source code dating back to 2004,” Mulholland wrote.

While the code may be from between 1998 and 2004, “kernels don’t change that much,” Stun wrote in the “Description” section of the torrent download page. The code may get extended or adapted, but some core functionality stays the same, Stun noted. Reverse engineering existing products would reveal the source code’s “true destiny,” according to the message.

This isn’t the first time VMware source code was leaked as there were two earlier incidents this year, on April 24 and May 3. The latest source code theft was “related” to the earlier breach, and it was “possible that more related files will be posted in the future,” Mulholland admitted.

Previous reports indicated the earlier VMware source code leak was the result of a security breach at the China National Electronics Import and Export, an engineering and electronics company based in Beijing. As part of that leak, some of the company’s internal emails were pasted on Pastebin by a person going by the name Hardcore Charlie.

Customers should make sure they have the latest product updates and security patches for their specific VMware environments, Mulholland said. Customers should also apply the company’s guidelines for security hardening to protect the environment from attacks, he said.

“By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected,” Mulholland said.

As for VMware’s claim that the thief had only outdated code, it sounds a lot like what Symantec said earlier this year when the security company admitted some of its source code had been stolen back in 2006. In that breach, source code for “2006-era versions” of Norton Antivirus Corporate Edition, Norton Internet Security, pcAnywhere and Norton SystemWorks, which include Norton Utilities and Norton GoBack, were stolen, Symantec said. Shortly after the announcement, the thieves, a group calling themselves Lords of Dharmaraja, posted the files online.

Symantec at the time said the exposed code was outdated enough that customers didn’t have to worry about any attacks stemming from the theft. However, that turned out to be not quite the case as Symantec later told customers there was an “increased risk” for man-in-the-middle attacks and exploits for the pcAnywhere remote access tool.

An anonymous submission to the InfoSec Institute on Feb. 17 showed that pcAnywhere’s source code was relatively unchanged from 10 years ago, and most of the changes over the years focused on ensuring the software could run on newer versions of Microsoft Windows. “A surprising amount of the core code originates from what is now 10 years ago with only a few added changes,” the researcher wrote in the InfoSec Institute post.

It’s not known at this point the extent the latest source code files overlaps with current VMware products, but IT administrators should be looking at layered security to protect their virtual infrastructure from attack.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.