Subscribe to my RSS Feed
Join 2,575 other subscribers
My ramblings on the stuff that holds it all together
Interesting article here
What if you could breach the hypervisor? best practice would dictate firewalling off the management traffic to the service console to a management network but what if you could exploit the VM Tools or other enlightenments/paravirtualizations to compromise the hypervisor – if you could you own every VM it’s running.
Does this compare to VLAN jumping on a Cisco switch? As far as I understand it show me a practical exploit to do this and the mitigation steps are quite well documented.
This is (and will) always a big issue with Multi-tennant systems but it’s the same issue that we currently face in most service providers, shared SANs, LAN, WAN, even physical buildings/suites etc. – virtualization is just a marketing tag, the same principals have been applied in the physical world for ages and mitigated against – I don’t think this is any different.
A session with the US Marine Corps at VMWorld 2007 mentioned that the US DoD had audited the code of ESX for this issue and found it to be satisfactory – but I’ve not seen this documented anywhere, if it’s safe for the US .mil isn’t it safe enough for you?
Compare risk vs cost saving, patch, mitigate, move on but keep your eyes open.