News

VMware downplays ESX hypervisor source code leak

Marcia Savage, Site Editor

VMware said Tuesday that source code for its ESX hypervisor product was leaked online, but downplayed the risk to customers.

The company’s security team became aware on Monday

    Requires Free Membership to View

“of the public positing of a single file from the VMware ESX source code and the possibility that more files may be posted in the future,” Iain Mulholland, director of VMware Security Resource Center, said in a blog post.

“The fact that the source code may have been publicly shared does not necessarily mean there is any increased risk to VMware customers,” he said.

A spokesperson for Palo Alto, Calif.-based VMware did not immediately respond to a request for additional information Wednesday afternoon.

According to a report published on Threatpost, an anonymous hacker that goes by the name of "Hardcore Charlie” claims to have downloaded about 300MB of VMware. 

The poster referred people to a website containing scans of documents that appear to be of  an email exchange between VMware engineers discussing untruncated memory segments as part of restricting memory access to protect data. The documents appear to be from Beijing-based China National Electronics Import & Export Corp. (CEIEC). The CEIEC is involved in importing and exporting a variety of electronics for military use and foreign governments. It has a broad scope that includes hardware, software, business consulting and IT services.

“I see it as potentially very serious, but it depends on what source code it is,” Dave Shackleford, a virtualization expert and owner and principal consultant at Voodoo Security, said in an email. “If it’s hypervisor code, [it] could be devastating. If it’s just ESX service console, it’ll be mostly Linux code, which is not such a big deal.”

Eric Fisher, security consultant at Overland Park, Kan.-based FishNet Security, said a number of companies with widely deployed technology have had source code leaks in recent years. “The net result is if the implementation is done well, then your risk is mitigated regardless of the product you’re using,” he said.

If a company follows security best practices by building in layers of security and isolating critical systems, they mitigate their risk, even if it turns out an ESX component has a vulnerability associated with a leakage, he said.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: