Interesting VMDK attack...

EveryoneEveryone Member Posts: 1,661
Just came across this..

VMDK Has Left the Building — Some Nasty Attacks Against VMware vSphere 5 Based Cloud Infrastructures - Insinuator

and the follow up to it...

VMDK Has Left the Building


Basically if you have an IaaS (infrastructure as a service) public/private "Cloud" provider that allows customers to upload their own VMDK files, you can upload one that will give you access to files on the Hypervisor, which basically would get you access to any other VMs hosted on it.

Seems like it probably isn't hard to prevent this type of attack.

Comments

  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    Everyone wrote: »
    Basically if you have an IaaS (infrastructure as a service) public/private "Cloud" provider that allows customers to upload their own VMDK files, you can upload one that will give you access to files on the Hypervisor, which basically would get you access to any other VMs hosted on it.

    I nearly spit my food out laughing when I read that.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Oh no what is to become of our cloud savior?!?!
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    Is it common for consumers of IaaS to be able to upload their own VMDK files?
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • EveryoneEveryone Member Posts: 1,661
    According to the article it is common. I've never had a desire to use such a service, let alone use one, so I dunno.

    I bet that it won't be common much longer because of this though.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    I know Rackspace provides the base install and then leaves it up to you to install whatever else you need.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • jmritenourjmritenour Member Posts: 565
    the_Grinch wrote: »
    I know Rackspace provides the base install and then leaves it up to you to install whatever else you need.

    That's what we do - provide base templates, then everything beyond that is up to the customer, at least for our public cloud offerings.

    We do private clouds as well, and those are a bit more flexible. Some instances, we've let customers supply us with an OVF that we import. Those environments, however, are totally segregated and specific to one customer. Even if they did manage to compromise hypervisor security, it's all their stuff anyway, not like it's going to hurt anything if they can see their own VMs.

    Interesting stuff though.
    "Start by doing what is necessary, then do what is possible; suddenly, you are doing the impossible." - St. Francis of Assisi
  • the_hutchthe_hutch Banned Posts: 827
    Everyone wrote: »
    I bet that it won't be common much longer because of this though.

    That's giving people way too much credit. Just because a vulnerability is known, doesn't mean people will start taking actions to correct it. SQL injection has been a known attack vector for years...and still, everyone and their mom still has SQL injection vulnerabilities
  • jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    To be fair though, hacker wouldn't pay money for this sort of thing, not a lot anyway and most cheap VPS/VDS provider using free hypervisor such as Xen or KVM etc.

    Provider using VMware are probably a lot more expensive, too expensive for the hacker ...

    Just a thought anyway ..
    My own knowledge base made public: http://open902.com :p
  • petedudepetedude Member Posts: 1,510
    Hackers don't pay for those accounts, they steal them. The assumption is that an attacker would gain some sort of privileged access to the account (e.g. keyloggers, social engineering, dumpster diving), THEN use the information to upload the foul VM.

    I'm slightly surprised to hear service providers allow that much access to begin with. As a service provider, you not only need to be mindful of your own security but the security of your clients. I'd think the only way to ensure appropriate control is to have trained in-house staff performing these installations.
    Even if you're on the right track, you'll get run over if you just sit there.
    --Will Rogers
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Nation States would be more then happy to pay for it. But you have to remember, if it were a targeted attack you'd have to know which server in the data center they were on. Could be done, but it would take time...
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
Sign In or Register to comment.