VMware says it is looking into claims that its source code had been hacked and leaked online.
In a statement, Iain Mulholland, director of the VMware Security Response Center, said that its security team had been made aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future.
He said: “The posted code and associated commentary dates to the 2003 to 2004 timeframe. The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers. VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualisation ecosystem today.”
He concluded by saying that it takes customer security seriously and has engaged internal and external resources, including the VMware Security Response Center, to thoroughly investigate.
According to a report by SC Magazine Australia, the code related to its ESX hypervisor and was obtained by hackers who allegedly broke into a Chinese defence contractor, where they also stole internal emails and documents.
It said that a hacker known as 'Hardcore Charlie' claimed to have obtained the code by hacking China National Electronics Import-Export Corporation earlier this month, an allegation the company tersely refuted.
Hardcore Charlie published a series of documents that he claimed in a Pastebin entry show alleged collusion between the corporation and Western military and terrorist organisations. He promised to release more breached data on 5 May.
Eric Chiu, president & founder of HyTrust, said: “Virtualisation is mainstream and over 50 per cent of enterprise data centres are now virtualised. Because of this success, virtual infrastructure is a prime target for attack – so the theft of VMware ESX source code, similar to RSA's breach last year, is no surprise. Platform security for virtual infrastructure is a must, without securing the virtual infrastructure, enterprises are leaving a huge area of their data centre open to attack.”
Mark Bower, data protection expert and VP at Voltage Security, said: “While details are sketchy, this attack once again shows that even the best prepared firms can have risks from consequential third party access to data out of their control.
“The real pain for the industry in this case is less about counterfeit VMware instances, but the intimate knowledge attackers may now possess of possible vulnerabilities in a critical virtualisation tool that is the foundation for many enterprise data centres, clouds and applications.
“This incident again underpins the industry's critical and growing need to adopt a data-centric security approach, irrespective of where data may reside, even in vulnerable systems it stays protected until the moment it's needed. In the attackers' hands, it's useless, even if they know exactly how the container the data is in functions and can itself be compromised.”