Gartner Blog Network


Yes, Hypervisors Are Vulnerable.

by Neil MacDonald  |  January 26, 2011  |  5 Comments

In one of my first posts as a blogger nearly 2 years ago, I discussed the potential for disaster if a compromise in the virtualization platform (hypervisor/VMM) occurred.

Last year (I was intending to comment on this at the time, but it slipped my mind), I was reading the IBM X-Force 2010 Mid-Year Trend and Risk Report. Similar reports are available from other labs; however, this one had a section specifically on vulnerabilities and threats in virtualization.

I still have clients that are skeptical that the threat is real. The data gathered by IBM shows that the threat is real. The report shows several charts over several pages discussing vulnerabilities in virtualization platforms (both desktops and servers).

The chart in Table 5 (page 53 of the report) below really caught my eye. Check out the row that I’ve circled in red. It shows that many (35%!) of the server virtualization vulnerabilities resulted in an escape to the hypervisor which is described as

Vulnerabilities that allow an attacker to “escape”
from a guest virtual machine to affect other virtual
machines, or the hypervisor itself. In the case of
workstation products, these vulnerabilities do not
affect the host operating system.

image

A breach of the virtualization platform which results in an escape to the hypervisor represents a worst-case security scenario. I’ll reiterate what I’ve been saying for more than 4 years:

  • The virtualization platform (hypervisor/VMM) is software written by human beings and will contain vulnerabilities. Microsoft, VMware, Citrix, …. all of them will and have had vulnerabilities.
  • Some of these vulnerabilities will result in a breakdown in isolation that the virtualization platform was supposed to enforce. This is not good.
  • Bad guys will target this layer with attacks. The benefits of a compromise of this layer are simply too great.
  • While there have been a few disclosed attacks, it is just a matter of time before a widespread publicly disclosed enterprise breach is tied back to a hypervisor vulnerability.

What do you do? I’ve written about this extensively for clients. First and foremost, extend the your vulnerability and configuration management processes to this layer just as you would for any sensitive OS. In fact, I’d argue that the virtualization platform is the most sensitive x86-based OS in your data center. Treat it as such.

Category: next-generation-data-center  next-generation-security-infrastructure  virtualization  virtualization-security  

Tags: best-practices  cloud-security  hypervisor-security  information-security  next-generation-data-center  next-generation-security-infrastructure  virtualization  virtualization-security  vmware  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio


Thoughts on Yes, Hypervisors Are Vulnerable.


  1. Dave Aitel says:

    My company released a lot of information on a set of vulnerabilities called CLOUDBURST a couple years ago. These affected VMWare and were integrated into our penetration testing product CANVAS.

    You may not have heard of lots of company’s getting hit with these sorts of things, but I imagine it’s mostly because no organization really has the capability to discovery a penetration at that level.

  2. Neil MacDonald says:

    @Dave,

    Thanks for the reminder. Yes, CLOUDBURST was real attack on a real vulnerability and targeted against VMware workstation code. I believe it was discussed at BlackHat in summer 2009.

    VMware patched the vulnerabilty shortly thereafter which reinforces my point on patching. It also reinforces the fact that whatever solution you use for vulnerability management must be capable of understanding and assessing vulnerabilities in the virtualization platform. Likewise, are your penetration testing tools/providers (like CANVAS) testing for vulnerabilites at this layer?

    Neil

  3. Dave Aitel says:

    Thanks for the response, Neil –

    Our perspective on this technology is that you have to assume your attackers have another CLOUDBURST. In other words, we agree with you.

    But the annoying conclusion you would then have to draw is that multi-tenant clouds have a significant security drawback – one that should prevent enterprises from deploying in them.

    This drastically reduces the cost-effectiveness of cloud hosting, especially if you consider that even one enterprise will probably have multiple levels of security, and hence, need multiple private clouds!

  4. Dave Aitel says:

    P.S. CLOUDBURST is in CANVAS, but we do not test for anything generically – just for the vulnerabilities CLOUDBURST exploited. (CANVAS is not a fuzzer, nor would a fuzzer really be applicable here, I think?)

  5. SJB says:

    The problem with all this is people keep lumping Hypervisor into one big puddle, Heck, the “disclosed attacks” link of yours is for a XBOX 360 hypervisor exploit; its running in a totally different context than ESX may be (like for one, physical access to our hosts is pretty damn hard)

    Consoles, Type 1, Type 2, are all different. We need to gather the relevant data. The data also needs to be broken down by vendor, that table on page 53 of the report is to high level. The VMWare guys swear to us that ESX is secure and Hyper V is not. MS say they are the same; Citrix tell us they are more secure than both, and Oracle just begs us to download their offering and at least try it.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.