Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Yes, Hypervisors Are Vulnerable.

by Neil MacDonald  |  January 26, 2011  |  5 Comments

In one of my first posts as a blogger nearly 2 years ago, I discussed the potential for disaster if a compromise in the virtualization platform (hypervisor/VMM) occurred.

Last year (I was intending to comment on this at the time, but it slipped my mind), I was reading the IBM X-Force 2010 Mid-Year Trend and Risk Report. Similar reports are available from other labs; however, this one had a section specifically on vulnerabilities and threats in virtualization.

I still have clients that are skeptical that the threat is real. The data gathered by IBM shows that the threat is real. The report shows several charts over several pages discussing vulnerabilities in virtualization platforms (both desktops and servers).

The chart in Table 5 (page 53 of the report) below really caught my eye. Check out the row that I’ve circled in red. It shows that many (35%!) of the server virtualization vulnerabilities resulted in an escape to the hypervisor which is described as

Vulnerabilities that allow an attacker to “escape”
from a guest virtual machine to affect other virtual
machines, or the hypervisor itself. In the case of
workstation products, these vulnerabilities do not
affect the host operating system.

image

A breach of the virtualization platform which results in an escape to the hypervisor represents a worst-case security scenario. I’ll reiterate what I’ve been saying for more than 4 years:

  • The virtualization platform (hypervisor/VMM) is software written by human beings and will contain vulnerabilities. Microsoft, VMware, Citrix, …. all of them will and have had vulnerabilities.
  • Some of these vulnerabilities will result in a breakdown in isolation that the virtualization platform was supposed to enforce. This is not good.
  • Bad guys will target this layer with attacks. The benefits of a compromise of this layer are simply too great.
  • While there have been a few disclosed attacks, it is just a matter of time before a widespread publicly disclosed enterprise breach is tied back to a hypervisor vulnerability.

What do you do? I’ve written about this extensively for clients. First and foremost, extend the your vulnerability and configuration management processes to this layer just as you would for any sensitive OS. In fact, I’d argue that the virtualization platform is the most sensitive x86-based OS in your data center. Treat it as such.

5 Comments »

Category: Next-generation Data Center Next-generation Security Infrastructure Virtualization Virtualization Security     Tags: , , , , , , , ,

5 responses so far ↓

  • 1 Dave Aitel   January 27, 2011 at 2:10 pm

    My company released a lot of information on a set of vulnerabilities called CLOUDBURST a couple years ago. These affected VMWare and were integrated into our penetration testing product CANVAS.

    You may not have heard of lots of company’s getting hit with these sorts of things, but I imagine it’s mostly because no organization really has the capability to discovery a penetration at that level.

  • 2 Neil MacDonald   January 27, 2011 at 2:57 pm

    @Dave,

    Thanks for the reminder. Yes, CLOUDBURST was real attack on a real vulnerability and targeted against VMware workstation code. I believe it was discussed at BlackHat in summer 2009.

    VMware patched the vulnerabilty shortly thereafter which reinforces my point on patching. It also reinforces the fact that whatever solution you use for vulnerability management must be capable of understanding and assessing vulnerabilities in the virtualization platform. Likewise, are your penetration testing tools/providers (like CANVAS) testing for vulnerabilites at this layer?

    Neil

  • 3 Dave Aitel   January 28, 2011 at 12:59 pm

    Thanks for the response, Neil –

    Our perspective on this technology is that you have to assume your attackers have another CLOUDBURST. In other words, we agree with you.

    But the annoying conclusion you would then have to draw is that multi-tenant clouds have a significant security drawback – one that should prevent enterprises from deploying in them.

    This drastically reduces the cost-effectiveness of cloud hosting, especially if you consider that even one enterprise will probably have multiple levels of security, and hence, need multiple private clouds!

  • 4 Dave Aitel   January 28, 2011 at 1:00 pm

    P.S. CLOUDBURST is in CANVAS, but we do not test for anything generically – just for the vulnerabilities CLOUDBURST exploited. (CANVAS is not a fuzzer, nor would a fuzzer really be applicable here, I think?)

  • 5 SJB   January 31, 2011 at 4:51 pm

    The problem with all this is people keep lumping Hypervisor into one big puddle, Heck, the “disclosed attacks” link of yours is for a XBOX 360 hypervisor exploit; its running in a totally different context than ESX may be (like for one, physical access to our hosts is pretty damn hard)

    Consoles, Type 1, Type 2, are all different. We need to gather the relevant data. The data also needs to be broken down by vendor, that table on page 53 of the report is to high level. The VMWare guys swear to us that ESX is secure and Hyper V is not. MS say they are the same; Citrix tell us they are more secure than both, and Oracle just begs us to download their offering and at least try it.