VMware warns customers further ESX source code leaks could be coming
VMware is warning that more of the source code for its ESX enterprise virtualization product may be posted online, which could pose an additional security risk to any firm that has deployed the product.
Earlier this month, a hacker calling himself Stun tweeted that he had leaked a file containing the VMware ESX server kernel. VMware confirmed this was ESX source code dating back to 2004.
VMware said this code was related to the source code that was posted publicly in April of this year. On April 23, a hacker going by the alias Hardcore Charlie posted some of the code online and said he had a total of 300 MB of ESX source code.
The ESX virtualization product includes "bare-metal" hypervisor, meaning it installs directly on top of the physical server and partitions it into multiple virtual machines that can run simultaneously, sharing the physical resources of the underlying server, VMware said on its website. ESX runs its own kernel, or source code, unlike some other virtualization software that requires an operating system.
Iain Mulholland, director of platform security at VMware, commented, "VMware strongly encourages all customers to apply the latest product updates and security patches made available for their specific environment. We also recommend customers review our security hardening guides. By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected."
Jon Oltsik, a senior principal analyst with research firm ESG, told PC Advisor that the release of ESX source code increases security risks for customers. "Even though the source code is old, some of it is likely the foundation of modern day ESX," he said. "Cybercriminals now have a recipe for potential vulnerabilities to research and exploit. I would imagine a spike in VMware-focused malware as a result."