» VirtSec

Researchers cure blue pill virtualization attack

spiv — Mon, 10 May 2010 21:30:29 +0000

Two researchers from North Carolina State University have developed software that they say can protect virtualization hypervisors from malicious “Blue Pill” rootkit threats.

“HyperSafe enables the hypervisor self-protection from code injection attempts,” said Xuxian Jiang, an assistant professor of computer science at NCSU.

Jiang, along with his PhD. student Zhi Wang, developed the software, called HyperSafe, with funding from the U.S. Army Research Office and the National Science Foundation.

For the rest of this article please follow this link, blue pill.

Scoobydoo and the case of virtualization insecurity!

spiv — Wed, 13 Jan 2010 17:38:23 +0000

Virtualization Myths

Thought I would share this presentation with everyone from a recent seminar that I gave at the back end of last year entitled “Security in a Virtual World”.

The seminar was well attended and as well as myself there were 2 other speakers one from VMware and the other from Check Point who were demonstrating there VMsafe Firewall offering.

My presentation introduces why you need security in a virtual environment and explores some ideas and is designed to get you thinking about your own architecture before you just simply take the ESX CD and bound off into oblivion.

You can check out the presentation at this link: http://bit.ly/8Vh4MM

VMotion fails after an ESX host is port scanned

spiv — Thu, 17 Dec 2009 15:11:22 +0000

This appeared on a VMware KB article back in August but some of you may have not seen it. Basically if you use a port scanner like NMAP and scan an ESX host in particular on port 8000, subsequent VMotion events will fail.

The only way to get VMotion to work again is to disable and then re-enable VMotion. It’s interesting that this service is obviously not robust enough to cope with a simple port scan and also highlights the fact that you should be isolating your vmotion network from general network traffic.

The original VMware article can be viewed here, KB1010672

VMware Web Services SDK open to Brute Force Attacks

spiv — Fri, 27 Nov 2009 16:13:22 +0000

If you didn’t already know this the VMware Web Services SDK is a WSDL API that allows developers to write applications that integrate with VMware. You can also query this API using a standard web browser. The WSDL interface requires authentication and once authenticated you have access to the entire API as shown in the screenshot below.

Even if you are not a developer once authenticated using the browser you can query the virtual infrastructure in much the same way as you would using the standard VI client. You can also scheduled tasks which means you have a lot of power, eg. shutdown VM’s, Change configs etc.

Bruteforce Attack

The interesting thing to note is that the interface can be attacked using Brute Force techniques, so if you do not have adequate access control mechanisms in place you are leaving your virtual infrastructure open to compromise.

To mitigate this from happening I would suggest you lock down which source IP’s in your network are allowed to access vCenter and each ESX host, and never expose your Virtual Management layer to the Internet.

VirtSec Training

spiv — Tue, 24 Nov 2009 22:54:17 +0000

First UK VirtSec Training course to be offered in London from February 2010. I am just putting the finishing touches to the content and format for this 2 day course. More details will follow shortly if you would like to register your interest in attending this course then please register here.