ESX Security Issues

Wednesday, January 10, 2007 in Security, Virtualization by slowe | 2 comments

Some security vulnerabilities in VMware ESX Server have been disclosed in the last few days.  Secunia released this advisory on multiple vulnerabilities; the related vulnerabilities include flaws in the bundled versions of OpenSSH, OpenSSL, and Python that come with the service console (which, as you may already know, is a modified form of Red Hat Enterprise Linux).

A patch to address these vulnerabilities is available for the affected versions of ESX from the VMware web site; the links for the ESX 3.0.0 and ESX 3.0.1 patches are below.

Patch for ESX 3.0.0:
http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html

Patch for ESX 3.0.1:
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html

One of the vulnerabilities mentioned in the Secunia advisory above pertains to incorrect SSL key permissions; more information on that issue can be found in this VMware KB document.  This issue also affects some of VMware’s hosted products, such as VMware Server, VMware Player, and VMware Workstation.

In addition, a possible cross-site scripting exploit has been uncovered in Apache, which is used by ESX Server.  VMware provides more information on the possible exploit on their web site.  In addition, more information is available on the CVE candidate entry.

Tags: , , ,

  1. Greg’s avatar

    Greg on Thursday, January 11, 2007 at 3:13 pm

    How does one protect unpatched VMs in production environments? When applications and physical devices are uncoupled, exactly how would a NIPS or HIPS function properly in a “VM sprawl” environment?

  2. slowe’s avatar

    slowe on Thursday, January 11, 2007 at 3:57 pm

    Greg,

    I suppose if you work for Blue Lane Technologies (as you do, apparently) you recommend one of your boxes/products to take care of that problem. Of course, other vendors would have their own recommendations as well.

    Otherwise, we can use open systems NIPS (Snort and the like) to watch for and intercept traffic on the vSwitches inside ESX Server. We could even deploy physical NIPS systems, except for the fact that we’d lose visibility of the VM-to-VM traffic that occurs inside ESX on the vSwitch.

    If you have recommendations other than plugging your own product, I’d love to hear them.

    Thanks,
    Scott