Content, Breach

VMware vSphere Security Vulnerability: GuardiCore’s Black Hat Conference Surprise

Ofri Ziv
GuardiCore's Ofri Ziv

GuardiCore, an aptly named data center and cloud security specialist, says it has discovered a significant VMware vSphere vulnerability and reported it to the virtualization company. The twist? Details about the vulnerability will remain a secret until GuardiCore describes the issue more fully during the Black Hat USA 2017 conference next week. VMware will release a fix for the flaw at that time.

The big question: Why wait to disclose the vulnerability details and the fix until that time?

While you ponder that question here are the publicly disclosed details so far: On vSphere versions 6.5, 6.0, 5.5, an ill-intentioned hacker can break the security model of host-guest isolation--central to compliance and defense--and gain root privileges on guest machines, according to GuardiCore.

Ofri Ziv, who heads GuardiCore Labs, will demo both an attack and the mitigation at a July 27 Black Hat conference session entitled Escalating Insider Threats Using VMware’s API. VMware subsequently will release a security advisory.

None of the above is even a whiff unusual except for one seemingly minor thing: GuardiCore--and ostensibly VMware’s--decision to says there's a vulnerability eight days ahead of the Black Hat session absent an announced fix. That’s a bit out of the ordinary--typically we see notification of a flaw, word that a fix is in the works or, in most cases a mitigation advisory, delivered all at the same time.

Until VMware delivers the fix, could a hacker somehow stumble onto the specific details of the vulnerability and exploit the hole? That seems like a long-shot -- but why take the risk?

Perhaps there is some public relations strategy at work, not cunning or conniving mind you, simply a way to draw more interest to the conference session. Still, assuming for a moment that’s how it went down, if the vulnerability and associated fix were announced simultaneously rather than kept a secret of sorts until the conference, would the session’s content have been undermined? Not likely. So then why the drama?

Ziv appeared to address the question, referring to the demo as an example of strong data center security.

"Today's dynamic and virtualized environments present evolving security,” he said. "Through the VMware example, we hope to shed light on the continued importance of monitoring and enforcing privileges in the modern data center."

The San Francisco and Tel Aviv, Israel-based GuardiCore said its Labs research unit focuses on the most advanced threats facing data centers and clouds. The unit's recent, high-profile threat discoveries include the Bondnet botnet used to mine different cryptocurrencies, a variant of the MongoDB ransomware attack targeting MySQL databases, the Trojan.sysscan malware and the Infection Monkey that was presented at Black Hat 2016.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.