Tag Archives: Vmware

VMware Virtual Machine file descriptors security

Around 18 months ago, a security researcher reported that he found a bug in VMDK descriptor that allows user to access all driver in a VMware hypervisor. Today VMware released another vulnerability “VMware ESXi and ESX unauthorized file access through vCenter Server and ESX, in their words “an unprivileged vCenter Server user with the privilege “Add Existing Disk” to obtain read and write access to arbitrary files on ESXi or ESX.”

It seems the security design of ESX will need to beef up. The file permission checking and access right verification in ESX has major issue that caused this type of privilege escalation. VMware shall disclose more on the file access right design and fundamentally upgrade it, not just patching.

With Xmas holiday is coming, not sure how soon this patch will be pushed to production environment!

VCPs technical analysis on the MAS Technology Risk Management guidelines.

Since Singapore MAS released the TRM guideline last month, I believe many people are studying them (including me). Big Four accounting firms are usually most active in publishing explanatory reports and article with a purpose to generate more business leads.

However, a group of Vmware certified professionals are taking the lead this time. They worked together and published a MAS TRM analysis report focusing on DR and visualization. Some of the observations are valid. The document could be found at Vmware website

 A few I like to share

  •  Process and Committee oriented. No Agile and rapid innovation. 
  • All social media sites, cloud-based storage, web-based emails are classified as “unsafe internet services”. No technical fact given to support why they they are all insecure.
  • Trust no employee :Sys Admin must be tracked.