VMware said Tuesday that source code for its ESX hypervisor product was leaked online, but downplayed the risk to customers.
The company’s security team became aware on Monday “of the public positing of a single file from the VMware ESX source code and the possibility that more files may be posted in the future,” Iain Mulholland, director of VMware Security Resource Center, said in a blog post.
“The fact that the source code may have been publicly shared does not necessarily mean there is any increased risk to VMware customers,” he said.
A spokesperson for Palo Alto, Calif.-based VMware did not immediately respond to a request for additional information Wednesday afternoon.
According to a report published on Threatpost, an anonymous hacker that goes by the name of "Hardcore Charlie” claims to have downloaded about 300MB of VMware.
The poster referred people to a website containing scans of documents that appear to be of an email exchange between VMware engineers discussing untruncated memory segments as part of restricting memory access to protect data. The documents appear to be from Beijing-based China National Electronics Import & Export Corp. (CEIEC). The CEIEC is involved in importing and exporting a variety of electronics for military use and foreign governments. It has a broad scope that includes hardware, software, business consulting and IT services.
“I see it as potentially very serious, but it depends on what source code it is,” Dave Shackleford, a virtualization expert and owner and principal consultant at Voodoo Security, said in an email. “If it’s hypervisor code, [it] could be devastating. If it’s just ESX service console, it’ll be mostly Linux code, which is not such a big deal.”
Eric Fisher, security consultant at Overland Park, Kan.-based FishNet Security, said a number of companies with widely deployed technology have had source code leaks in recent years. “The net result is if the implementation is done well, then your risk is mitigated regardless of the product you’re using,” he said.
If a company follows security best practices by building in layers of security and isolating critical systems, they mitigate their risk, even if it turns out an ESX component has a vulnerability associated with a leakage, he said.