Virtualization, Windows, Infrastructure and all that “stuff” in-between

VMWare Vulnerability during VMotion.. is it really?

February 27, 2008

 

As the Hoff posts here and on VMTN here. the proposed vulnerability that you can manipulate and possibly compromise a VM during a VMotion process isn’t exactly major, it’s clever.. but - like anything if you don’t follow the best-practice recommendations then you expose yourself to these risks… same reason they recommend you lock your server room or don’t have blank passwords - this attack is akin to gaining physical access to the hardware or being able to sniff a physical switch port - in this instance, it’s “virtual” hardware.

VMWare have always recommended keeping the VMotion traffic on a separate VLAN or network.

the other vulnerability where VMTools can be compromised on is different, but again preventable.. and not enabled on server instances of VMWare.

---

Possibly related posts: (automatically generated)

• VMWare VMotion

Posted in ESX, Geeky, Security, VMWare, VMotion, vulnerability |

One comment

1. 

   My thoughts exactly!

   http://blog.scottlowe.org/2008/02/27/moving-past-the-hype/

        by Scott Lowe February 29, 2008 at 12:02 pm
   

Leave a Comment

• Subscribe in a reader

  

  

  

  

• My TechEd EMEA 2008 Twitter Feed

  • vinf_net: Blog updated at vinf.net with day 5 content, end of twitter feed. November 7, 2008
  • vinf_net: Uninformed November 7, 2008
  • vinf_net: Azure os code name red dog, mentioned a few times now November 7, 2008
  • vinf_net: Kernel mOde patch guard blacklist certain drivers x64 os only November 7, 2008
  • vinf_net: Runtime hours November 7, 2008
  • vinf_net: Autoruns can save info to a file so you can send to someone else for comparison November 7, 2008
  • vinf_net: Vista and later only generate dumps on app crash unless windows online error reporting asks for more info November 7, 2008
  • vinf_net: Spy++ list alll windows November 7, 2008
  • vinf_net: Can suspend individual threads November 7, 2008
  • vinf_net: Can show which threads have most cycles November 7, 2008
  • vinf_net: Process mon configure to pull down symbols from Microsoft November 7, 2008
  • vinf_net: Server with no network access mmc snap in configured to check CRL November 7, 2008
  • vinf_net: Use proc mon to view which TCP IP connections an individual process is using November 7, 2008
  • vinf_net: Explorer always looks orphaned in proc explorer as its started by wininit which exits afterwards November 7, 2008
  • vinf_net: The case of the unexplained mark russinovitch November 7, 2008
  • vinf_net: Ulf built a script based approach to dump and recreate for simple dc site servers, shops etc and do automated reACL of files to swap SIDs November 7, 2008
  • vinf_net: Poptected object attribute in 2008 very useful hurdle against script or clumsy admin November 7, 2008
  • vinf_net: 2008 r2 AD recycle bin needs 2008 forest level, so will need to keep older methods for a while as its a while for orgs to get 2008r2 level November 7, 2008
  • vinf_net: Use ldiffe in import mode to pull back attribs from snapshot, one identity.com tool to do it all for free :) November 7, 2008
  • vinf_net: Tombstone recovery only brings back sid and guid, but snapshot recovery can come from snapshot to get groups and attribs November 7, 2008

• Blogroll

  • Bladewatch
  • Build a better Test Lab
  • Dick Morrell’s Blog
  • Mark Wilson
  • P2V Backup
  • Paul Thurrott’s WinSuperSite Blog
  • RTFM education
  • Scott Lowe
  • Techhead
  • The Blade Vault
  • Thomas - MS MVP & Trainer
  • Tout Virtual
  • Virtual PC guy’s weblog
  • Where is project BlackBox?
  • WordPress.com
  • WordPress.org

• Site Meter

  • 

• Recent Posts

  • Platespin Power Convert - Installation problem - Error Running a Custom Action
  • New Blogger - clusterfunk.co.uk
  • TechEd EMEA 2008 IT Pro - Day 5
  • TechEd EMEA 2008 IT Pro - Day 4
  • TechEd EMEA 2008 IT Pro - Day 3

• Top Posts

  • VMWare ESX v3.5 on Cheap PC Hardware
  • Running ESX 3.5 and 3i Under VMWare Workstation 6.5 Beta Build 91182
  • How does an HP Fibre Channel Virtual Connect Module Work?
  • VMWare Licence Manager - LMTools
  • Cloud Wars: VMWare vs Microsoft vs Google vs Amazon Clouds
  • Virtual Centre Plug-in Repository
  • HP iLo Very Slow for Installing an OS
  • Running Exchange 2007 on VMWare ESX Server
  • Installed Windows Vista SP1 and Have No Sound?
  • Can you run ESX as a VM under ESX?

• Recent Comments

  	A video on how to ru… on Running ESX 3.5 and 3i Under V…
  	Ricky on Workstation VMs loose network…
  	Could Fan on Windows Azure under the h…
  	Willie Hernandez on Excellent Set of Resources for…
  	Mark Dean on VMWare ESX v3.5 on Cheap PC…

• Category Cloud

  Automated Installation blade Blogging Datacentre ESX Exchange Geeky Home Network HP Microsoft Office 2007 Outlook Performance Stats Tech-Ed Terminal Services Unattended Uncategorized useful Virtual Center 2.5 Virtual Fabric Virtual Grid Virtualization Vista VMWare VMWare Workstation 6.5 WAIK Windows Windows 2008 Windows PE Work

• Blog Stats

  • 107,099 hits

• The Latest from VMWare..

  • SRM, it’s just too easy » Yellow Bricks
  • Verifying the integrity of downloaded installer files (1537)
  • Thin Client Compatibility Guide For VMware Virtual Desktop Manager (VDM)
  • Systems Compatibility Guide For ESX Server 3.5 and ESX Server 3i
  • I/O Compatibility Guide For ESX Server 3.5 and ESX Server 3i
  • Storage / SAN Compatibility Guide For ESX Server 3.5 and ESX Server 3i
  • Systems Compatibility Guide For ESX Server 3.0.x
  • VI, SRM in a (Workstation) Box

• Visitors to this Blog

  

•  

  February 2008

  M	T	W	T	F	S	S
  « Jan				Mar »
  				1	2	3
  4	5	6	7	8	9	10
  11	12	13	14	15	16	17
  18	19	20	21	22	23	24
  25	26	27	28	29

Blog at WordPress.com.
Theme: Neat. Entries (RSS) and Comments (RSS).