VMware source code stolen, impact unclear

VMware says it was one file of old code

VMware ESX source code has been stolen and posted online, but the company says its virtualization platform doesn't necessarily pose an increased risk to customers.

The stolen code amounts to a single file from sometime around 2003 or 2004, the company says in a blog post.

"The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers," according to the blog written by Iain Mulholland, director of the company's Security Response Center.

MORE: The Most Mortifying Moments in IT Security History

The code was stolen from a Chinese company called China Electronics Import & Export Corporation (CEIEC) during a March breach, according to a posting on the Kaspersky Threat Post blog.

The code along with internal VMware emails were posted online three days ago.

VMware didn't respond immediately to a request for more information about the impact of the breach on customers.

Eric Chiu, president of virtualization security firm Hytrust, says it's hard to say what VMware customers should do because there's not enough detail about how the exposed code is being used in current products.

In general, though, customers should review the security for virtual environments to address the fact that a compromised hypervisor exposes multiple virtual machines.

While the incident is reminiscent of the breach last year of RSA source code, the circumstances differ. An RSA partner was breached and that breach was used to send a malware-laced email to an RSA staffer who opened it.

In VMware's case, the CEIEC network was hacked and finding the source code was fortuitous.

This is what VMware posted in a blog: "Yesterday, April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.

"The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers. VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today. We take customer security seriously and have engaged internal and external resources, including our VMware Security Response Center, to thoroughly investigate. We will continue to provide updates to the VMware community if and when additional information is available."

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies