Monthly Archives: December 2013

VMware Virtual Machine file descriptors security

Around 18 months ago, a security researcher reported that he found a bug in VMDK descriptor that allows user to access all driver in a VMware hypervisor. Today VMware released another vulnerability “VMware ESXi and ESX unauthorized file access through vCenter Server and ESX, in their words “an unprivileged vCenter Server user with the privilege “Add Existing Disk” to obtain read and write access to arbitrary files on ESXi or ESX.”

It seems the security design of ESX will need to beef up. The file permission checking and access right verification in ESX has major issue that caused this type of privilege escalation. VMware shall disclose more on the file access right design and fundamentally upgrade it, not just patching.

With Xmas holiday is coming, not sure how soon this patch will be pushed to production environment!

What happens without a Christmas tree

Recently, I have been involved in cloud security discussions in different occasion. As Christmas is coming, I think it is worth to repeat a point I made in 2005 via securityfocus.com mail list and still it is valid. It regarding BS7799 and its controls. 

“Without a Christmas tree, you can still have decorations but it would be a mess. With a Christmas tree, the decorations fit into a big picture and you can see where needs what.”

URL : http://www.securityfocus.com/archive/134/412802/30/480/threaded