A cloud is typically a \u201cmulti-tenant\u201d hosting infrastructure where the owners of the virtual machines in the IaaS are customers of the hosting provider. This might be a private implementation in a corporation, government agency, or university. It might be a hosting company (such as Rackspace) selling capacity to anyone with Internet access and a credit card.<\/p>\n
I worked in the hosting biz for 3 years using virtualisation for IaaS. When I was asked about it, I told people that:<\/p>\n
That\u2019s because:<\/p>\n
Trustworthy isolation was critical, and the virtualisation being used had to be rock solid. I could not risk one tenant getting access to another, and I absolutely in any circumstance could never let them near the infrastructure.<\/p>\n
And that\u2019s why a post<\/a> on a Microsoft Canada blog which linked to a research article<\/a> caught my attention yesterday.<\/p>\n Long story short: A hacker can craft a VMDK descriptor file, upload it to a cloud (a feature that is offered for migration), and configure that descriptor file to load VMware ESXi system files directly into the virtual machine. They successfully tested this on ESX 5.0, loading the \/etc\/shadow file, which according<\/a> to nixCraft:<\/p>\n \u2026 stores actual password in encrypted format for user’s account with additional properties related to user password i.e. it stores secure user account information<\/p>\n<\/blockquote>\n Woops! That sounds like a file you don\u2019t want to be making readily available. Remember: this was a \u201chosting customer\u201d that uploaded a VM as a guest, fired up the VM, and gained access to the usernames\/passwords of the host. They also got access to other files such as system logs. <\/p>\n They then went on to gain access to all physical hard drives on the host<\/em><\/u><\/strong>. You have to be kidding me!!!!!<\/p>\n So if you are a company setting up a cloud with VM upload\/migration features, and basic security is important, then don\u2019t use vSphere 5.0.<\/p>\n A cloud is typically a \u201cmulti-tenant\u201d hosting infrastructure where the owners of the virtual machines in the IaaS are customers of the hosting provider. This might be a private implementation in a corporation, government agency, or university. It might be a hosting company (such as Rackspace) selling capacity to anyone with Internet access and a … Continue reading “Serious Break-Out Security Flaw Found in VMware Cloud”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[46],"tags":[190,195,103],"class_list":["post-13363","post","type-post","status-publish","format-standard","hentry","category-virtualisation","tag-security","tag-virtualisation","tag-vmware"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n