Virtualization Security: Hacking VMware with VASTO

AlexNguyenAlexNguyen Member Posts: 358 ■■■■□□□□□□
Knowledge has no value if it is not shared.
Knowledge can cure ignorance, but intelligence cannot cure stupidity.

Comments

  • EveryoneEveryone Member Posts: 1,661
    Nice.

    Yes gaining access to a host would easily give you access to every guest on it. It'd be just like gaining physical access to a physical server. It is very easy to "own" any machine if you have physical access to it. It'd be even easier to "own" a VM if you gained access to the host. On a physical you could at least use a BIOS password to make it more difficult. A BIOS password on a VM is pretty much useless, all you have to do is edit or delete a file on the host to reset the virtual BIOS back to defaults and get rid of the password.
  • jayc71jayc71 Member Posts: 112 ■■■■□□□□□□
    That tool doesn't seem to actually attack any vulnerability in the hypervisor itself, it just allows for a brute force or MitM attack against a connection to the ESX host. That's a known avenue of attack, and the best practice to avoid such an attack is to isolate the management traffic vLAN so that it's ACL'd and not globally accessible. VMware acknowledges that such attacks are possible, it's actually not preventable from the host-side and has nothing to do with virtualization, it's more of a standard security issue.

    Just seems a bit sensationalist to me... sure, ESX runs a stripped down linux console, if you can attack that directly you can potentially access the hosted VMs. In short, secure your environment! icon_cool.gif
    CISSP, CCSP, CCSK, Sec+, AWS CSA/Developer/Sysops Admin Associate, AWS CSA Pro, AWS Security - Specialty, ITILv3, Scrummaster, MS, BS, AS, my head hurts.
  • jmritenourjmritenour Member Posts: 565
    Also, if the hosts (4.1 or later) are being managed by a vCenter server, enable lockdown mode to prevent direct connection from the vSphere client, and make sure your vCenter server has a decent password/lockout policy.
    "Start by doing what is necessary, then do what is possible; suddenly, you are doing the impossible." - St. Francis of Assisi
  • ChooseLifeChooseLife Member Posts: 941 ■■■■■■■□□□
    jayc71 wrote: »
    That tool doesn't seem to actually attack any vulnerability in the hypervisor itself, it just allows for a brute force or MitM attack against a connection to the ESX host. That's a known avenue of attack, and the best practice to avoid such an attack is to isolate the management traffic vLAN so that it's ACL'd and not globally accessible. VMware acknowledges that such attacks are possible, it's actually not preventable from the host-side and has nothing to do with virtualization, it's more of a standard security issue.

    Just seems a bit sensationalist to me... sure, ESX runs a stripped down linux console, if you can attack that directly you can potentially access the hosted VMs. In short, secure your environment! icon_cool.gif
    Totally agree.

    The author of the article has a promising start to the conclusion:
    "Security personnel need to follow some basic guidelines..."
    but the following guidelines completely miss the point.
    They key to prevent the two attacks, as jayc71 and jmritenour said, is to follow VMware design recommendations and isolate management network, configure firewalls on ESX/vCenter boxes, enable lockdown mode, and so on.
    “You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896

    GetCertified4Less
    - discounted vouchers for certs
Sign In or Register to comment.