Interesting VMDK attack...

Everyone · May 2012

Just came across this..

VMDK Has Left the Building — Some Nasty Attacks Against VMware vSphere 5 Based Cloud Infrastructures - Insinuator

and the follow up to it...

VMDK Has Left the Building

Basically if you have an IaaS (infrastructure as a service) public/private "Cloud" provider that allows customers to upload their own VMDK files, you can upload one that will give you access to files on the Hypervisor, which basically would get you access to any other VMs hosted on it.

Seems like it probably isn't hard to prevent this type of attack.

RobertKaucher · May 2012

Everyone wrote: »

Basically if you have an IaaS (infrastructure as a service) public/private "Cloud" provider that allows customers to upload their own VMDK files, you can upload one that will give you access to files on the Hypervisor, which basically would get you access to any other VMs hosted on it.

I nearly spit my food out laughing when I read that.

the_Grinch · May 2012

Oh no what is to become of our cloud savior?!?!

blargoe · May 2012

Is it common for consumers of IaaS to be able to upload their own VMDK files?

Everyone · May 2012

According to the article it is common. I've never had a desire to use such a service, let alone use one, so I dunno.

I bet that it won't be common much longer because of this though.

the_Grinch · May 2012

I know Rackspace provides the base install and then leaves it up to you to install whatever else you need.

jmritenour · May 2012

the_Grinch wrote: »

I know Rackspace provides the base install and then leaves it up to you to install whatever else you need.

That's what we do - provide base templates, then everything beyond that is up to the customer, at least for our public cloud offerings.

We do private clouds as well, and those are a bit more flexible. Some instances, we've let customers supply us with an OVF that we import. Those environments, however, are totally segregated and specific to one customer. Even if they did manage to compromise hypervisor security, it's all their stuff anyway, not like it's going to hurt anything if they can see their own VMs.

Interesting stuff though.

the_hutch · May 2012

Everyone wrote: »

I bet that it won't be common much longer because of this though.

That's giving people way too much credit. Just because a vulnerability is known, doesn't mean people will start taking actions to correct it. SQL injection has been a known attack vector for years...and still, everyone and their mom still has SQL injection vulnerabilities

jibbajabba · June 2012

To be fair though, hacker wouldn't pay money for this sort of thing, not a lot anyway and most cheap VPS/VDS provider using free hypervisor such as Xen or KVM etc.

Provider using VMware are probably a lot more expensive, too expensive for the hacker ...

Just a thought anyway ..

petedude · June 2012

Hackers don't pay for those accounts, they steal them. The assumption is that an attacker would gain some sort of privileged access to the account (e.g. keyloggers, social engineering, dumpster diving), THEN use the information to upload the foul VM.

I'm slightly surprised to hear service providers allow that much access to begin with. As a service provider, you not only need to be mindful of your own security but the security of your clients. I'd think the only way to ensure appropriate control is to have trained in-house staff performing these installations.

the_Grinch · June 2012

Nation States would be more then happy to pay for it. But you have to remember, if it were a targeted attack you'd have to know which server in the data center they were on. Could be done, but it would take time...

Interesting VMDK attack...

Comments