VMware ESX source code 'leaked online'

VMware ESX source code 'leaked online'

Summary: A hacker, who this month accessed a Beijing-based electronics import and export corporation, has released code fragments of VMware's ESX virtualisation software.

SHARE:

VMware has warned its users after fragments of its ESX virtualisation software source code appeared online.

The leak stems from an attack by a hacker calling himself "Hardcore Charlie", and claims to have 300MB of VMware's source code and vast amounts of internal data from other companies.

Documents appeared on image-sharing site Imgur and code sharing site Pastebin, often used by hackers to leak contents of network breaches.

Iain Mulholland, director of VMware's Security Response Center, said despite the code leak, it "does not necessarily mean that there is any increased risk to VMware customers," and takes the matter of security seriously. The company said it is engaging with "internal and external resources".

Kaspersky's Threatpost said that the hacker claims to have hacked China's National Electronics Import and Export Corp. (CEIEC) in March, which led to other information being leaked. Samples of VMware's code have already been released, with promises of more CEIEC data in May, after the hacker claimed he was investigating U.S. military activities.

CEIEC denied the claims calling them "totally groundless, highly subjective and defamatory."

The hack appears to be of a similar nature to how Symantec's legacy anti-virus source code was leaked after an Indian intelligence service network was hacked, though VMware did not respond to questions at the time of publication.

Over half of datacenters run virtualisation, making virtual infrastructures a prime target for attacks, one analyst said.

Related:

Topics: Hardware, Virtualization, VMware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Wow!

    [i]" ... Iain Mulholland, director of VMware???s Security Response Center, said despite the code leak, it ???does not necessarily mean that there is any increased risk to VMware customers, ... ???[/i]

    ... and it also doesn't necessarily mean there is a 'decreased risk' to VMWare customers. I mean for real?!? Someone sack this bozo (..and give him a job at Cupertino).

    There are alternatives: and this simply adds weight to enterprises migrating to one of Citrix, Hyper-V or KVM, if they haven't already.
    thx-1138_
    • Alternative Wow

      Yes, react wildly and spend a couple of hundred thousand. Yes, there are alternatives to VMWare and like VMWare, they all have pros and cons.
      chrisinflight@...
      • @chrisinflight ... so you obviously

        don't see a problem with a leak of ESX code components? You wouldn't by any chance work for VMWare?

        [i]" ... Yes, react wildly and spend a couple of hundred thousand. "[/i]

        $200K on transition versus possible vulnerabilities exposing an entire corporate, virtualized stack and the infrastructure, data beneath it? Granted, neither of us know (as yet), but in network security, you always have to assume the worse case scenario. Now, tell me which one is the lesser of the two potential prices to pay now, wise@ss.
        thx-1138_
      • @thx-1138_

        So you are fine with blowing a quarter mil when you don't even know there is a threat? In this economy, I would not envision you as an IT Department Manager with a job too much longer if that money ends up being wasted because you simply jumped to an unfounded conclusion.

        Do you even know what components are affected by this disclosure? Are there security risks involved? If there are, can they be mitigated in a more cost-effective manner? Do our other security layers already provide enough protection to prevent compromise of our systems?

        There and dozens of other questions should be asked before the notion of migrating to a competing product is even considered.
        ultimitloozer
  • They are 10 years behind

    The source that was stolen was from 2003, ESX 2.0 timeframe. No one runs 2.0 anymore. It could even be EOL.
    kamal2000
    • Do you have official sources

      that can verify that?

      [i]" ... The source that was stolen was from 2003, ESX 2.0 timeframe. No one runs 2.0 anymore. It could even be EOL. "[/i]

      You make a blanket, generalized statement as though you could possibly know what every VMWare shop (enterprise customer) is doing, their upgrade (or not) planning & strategy - and their versioning history. Is that what you're going to claim?

      No? Then put a sock in it.
      thx-1138_
  • Does VMware give its code to state entities for inspection?

    Ok, I guess I don't understand why China???s National Electronics Import and Export Corp had VMware source code. Any clarification on that?
    packetracer