A cloud is typically a “multi-tenant” hosting infrastructure where the owners of the virtual machines in the IaaS are customers of the hosting provider. This might be a private implementation in a corporation, government agency, or university. It might be a hosting company (such as Rackspace) selling capacity to anyone with Internet access and a credit card.
I worked in the hosting biz for 3 years using virtualisation for IaaS. When I was asked about it, I told people that:
- No customer/tenant could trust any other customer/tenant
- I (the hosting company) could not trust any customer/tenant
That’s because:
- Some of the customers/tenants favoured convenience over security, or they were complete and utter morons
- I didn’t know them from Adam and they could have been up to no good
Trustworthy isolation was critical, and the virtualisation being used had to be rock solid. I could not risk one tenant getting access to another, and I absolutely in any circumstance could never let them near the infrastructure.
And that’s why a post on a Microsoft Canada blog which linked to a research article caught my attention yesterday.
Long story short: A hacker can craft a VMDK descriptor file, upload it to a cloud (a feature that is offered for migration), and configure that descriptor file to load VMware ESXi system files directly into the virtual machine. They successfully tested this on ESX 5.0, loading the /etc/shadow file, which according to nixCraft:
… stores actual password in encrypted format for user’s account with additional properties related to user password i.e. it stores secure user account information
Woops! That sounds like a file you don’t want to be making readily available. Remember: this was a “hosting customer” that uploaded a VM as a guest, fired up the VM, and gained access to the usernames/passwords of the host. They also got access to other files such as system logs.
They then went on to gain access to all physical hard drives on the host. You have to be kidding me!!!!!
So if you are a company setting up a cloud with VM upload/migration features, and basic security is important, then don’t use vSphere 5.0.
Wow. Both equally amazing and disappointing. It’s for this fear that I’ve always liked the idea of using VMware instead of Hyper-V, because I imagine(d) that it’d be harder to gain control of a Linux system (ESXi) from a Windows VM as the security would be different (note that most admins add their VMs to the same domain as their host).
What immediately came to mind with this issue is that it’s probably a really bad idea to host LAN VMs on the same host as your DMZ VMs, because obviously the DMZ is more exposed. Of course I’m not talking about cloud providers here, rather standard companies.