Virtualization Security: Hacking VMware with VASTO

Source: *InfoSec Institute – IT Training and Information Security Resources – Virtualization Security: Hacking VMware with VASTO

Find more posts tagged with

Comments

Everyone

Nice.

Yes gaining access to a host would easily give you access to every guest on it. It'd be just like gaining physical access to a physical server. It is very easy to "own" any machine if you have physical access to it. It'd be even easier to "own" a VM if you gained access to the host. On a physical you could at least use a BIOS password to make it more difficult. A BIOS password on a VM is pretty much useless, all you have to do is edit or delete a file on the host to reset the virtual BIOS back to defaults and get rid of the password.

jayc71

That tool doesn't seem to actually attack any vulnerability in the hypervisor itself, it just allows for a brute force or MitM attack against a connection to the ESX host. That's a known avenue of attack, and the best practice to avoid such an attack is to isolate the management traffic vLAN so that it's ACL'd and not globally accessible. VMware acknowledges that such attacks are possible, it's actually not preventable from the host-side and has nothing to do with virtualization, it's more of a standard security issue.

Just seems a bit sensationalist to me... sure, ESX runs a stripped down linux console, if you can attack that directly you can potentially access the hosted VMs. In short, secure your environment!

jmritenour

Also, if the hosts (4.1 or later) are being managed by a vCenter server, enable lockdown mode to prevent direct connection from the vSphere client, and make sure your vCenter server has a decent password/lockout policy.

ChooseLife

jayc71 wrote: »

That tool doesn't seem to actually attack any vulnerability in the hypervisor itself, it just allows for a brute force or MitM attack against a connection to the ESX host. That's a known avenue of attack, and the best practice to avoid such an attack is to isolate the management traffic vLAN so that it's ACL'd and not globally accessible. VMware acknowledges that such attacks are possible, it's actually not preventable from the host-side and has nothing to do with virtualization, it's more of a standard security issue.

Just seems a bit sensationalist to me... sure, ESX runs a stripped down linux console, if you can attack that directly you can potentially access the hosted VMs. In short, secure your environment!

Totally agree.

The author of the article has a promising start to the conclusion:
"Security personnel need to follow some basic guidelines..."
but the following guidelines completely miss the point.
They key to prevent the two attacks, as jayc71 and jmritenour said, is to follow VMware design recommendations and isolate management network, configure firewalls on ESX/vCenter boxes, enable lockdown mode, and so on.