Interesting VMDK attack...

Just came across this..

VMDK Has Left the Building — Some Nasty Attacks Against VMware vSphere 5 Based Cloud Infrastructures - Insinuator

and the follow up to it...

VMDK Has Left the Building

Basically if you have an IaaS (infrastructure as a service) public/private "Cloud" provider that allows customers to upload their own VMDK files, you can upload one that will give you access to files on the Hypervisor, which basically would get you access to any other VMs hosted on it.

Seems like it probably isn't hard to prevent this type of attack.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

RobertKaucher

Everyone wrote: »

Basically if you have an IaaS (infrastructure as a service) public/private "Cloud" provider that allows customers to upload their own VMDK files, you can upload one that will give you access to files on the Hypervisor, which basically would get you access to any other VMs hosted on it.

I nearly spit my food out laughing when I read that.

the_Grinch

Oh no what is to become of our cloud savior?!?!

blargoe

Is it common for consumers of IaaS to be able to upload their own VMDK files?

Everyone

According to the article it is common. I've never had a desire to use such a service, let alone use one, so I dunno.

I bet that it won't be common much longer because of this though.

the_Grinch

I know Rackspace provides the base install and then leaves it up to you to install whatever else you need.

jmritenour

the_Grinch wrote: »

I know Rackspace provides the base install and then leaves it up to you to install whatever else you need.

That's what we do - provide base templates, then everything beyond that is up to the customer, at least for our public cloud offerings.

We do private clouds as well, and those are a bit more flexible. Some instances, we've let customers supply us with an OVF that we import. Those environments, however, are totally segregated and specific to one customer. Even if they did manage to compromise hypervisor security, it's all their stuff anyway, not like it's going to hurt anything if they can see their own VMs.

Interesting stuff though.

the_hutch

Everyone wrote: »

I bet that it won't be common much longer because of this though.

That's giving people way too much credit. Just because a vulnerability is known, doesn't mean people will start taking actions to correct it. SQL injection has been a known attack vector for years...and still, everyone and their mom still has SQL injection vulnerabilities

jibbajabba

To be fair though, hacker wouldn't pay money for this sort of thing, not a lot anyway and most cheap VPS/VDS provider using free hypervisor such as Xen or KVM etc.

Provider using VMware are probably a lot more expensive, too expensive for the hacker ...

Just a thought anyway ..

petedude

Hackers don't pay for those accounts, they steal them. The assumption is that an attacker would gain some sort of privileged access to the account (e.g. keyloggers, social engineering, dumpster diving), THEN use the information to upload the foul VM.

I'm slightly surprised to hear service providers allow that much access to begin with. As a service provider, you not only need to be mindful of your own security but the security of your clients. I'd think the only way to ensure appropriate control is to have trained in-house staff performing these installations.

the_Grinch

Nation States would be more then happy to pay for it. But you have to remember, if it were a targeted attack you'd have to know which server in the data center they were on. Could be done, but it would take time...