Anonymous Hacker Claims Credit For VMware ESX Code Leak

On Tuesday, Kaspersky Lab's Threatpost blog reported the details of its recent IRC conversation with "Hardcore Charlie," the anonymous hacker who posted the purported VMware ESX source code online on April 8.

Hardcore Charlie claims to have obtained the VMware ESX source code after breaching the corporate network of the China National Electronics Import-Export Corporation (CEIEC), a Beijing-based firm. He also broke into and stole documents from the networks of China North Industries Corporation (Norinco) WanBao Mining Ltd, Ivanho and PetroVietnam, according to the Threatpost report.

VMware could not be reached for comment.

In a security bulletin issued earlier on Tuesday, VMware warned that a single file from its ESX server hypervisor source code had been posted online and said it is possible that more proprietary files could be leaked.

The leaked ESX code is from the 2003 to 2004 period, and security experts told CRN the potential impact of the breach depends on how much VMware has changed the code base since then.

VMware said it shares source code with industry partners, but other vendors, including Cisco, have had source code leaks in the past without problems, said Charlie Winckless, senior security architect at Presidio Networked Solutions, Greenbelt, Md.

Still, a zero-day vulnerability in ESX could pose significant problems for VMware and the legions of cloud service providers whose infrastructure runs on the hypervisor. Winckless said the availability of ESX source code could give hackers a better chance to find undiscovered vulnerabilities.

"How serious this exposure is depends on the level of code audit performed," Winckless said. "There almost certainly will be some bugs and issues exposed, but it's far from certain that they are exploitable."

VMware spends a lot of effort guarding against the disaster scenario of attackers compromising multiple virtual servers on a single piece of hardware, which makes it less likely that such an attack could stem from the leaked source code, according to Winckless.

"I'd assume that any issues found will be less serious and mostly on customers who haven't upgraded to later versions," he said.