Internet Security Systems - AlertCon(TM)

Virtualization and Security

Posted by Kris Lamb on September 21, 2007 at 11:45 AM EDT.

I probably don't have to tell you that virtualization is one of the hottest technologies in the IT world right now. Between the demand for x86 server virtualization at the enterprise, mid, and small business levels as well as the demand for multi-OS and runtime desktop solutions in both the business and consumer markets, virtualization is all the rage.

And with this popularity and relevance, we have noticed that IBM ISS has had an avalanche of press inquiries asking us to talk about the security implications of virtualization. We were giving press interviews this week regarding virtualization, security and the three high risk vulnerabilities X-Force discovered in a number of VMware virtualization products, which were announced this week, and one of the reporters inquired about specific vulnerability trends regarding virtualization. After the interview was complete, I started to wonder if quantitative vulnerability data would back up some of the qualitative trends that we discussed during the interview. So needless to say, I decided to ask the X-Force Database team to pull some data and see exactly what it indicated. I didn't have the time to sort and analyze all the data for every possible vulnerability that affected every possible virtualization vendor and/or software, so I decided I would focus on looking at all the vulnerability data for the market leader in x86 virtualization, VMware.

We pulled all known vulnerabilities across all of VMware’s products since 1999. I then focused on categorizing by year, by severity, by impact, by vector and by whether the vulnerability was in VMware's proprietary first-party components or in third-party components that they use in their products.

Once I pulled all the data, sorted and structured it in various ways, it summarized like this:

 

VMware Vulns by Year Total Vulns High Risk Vulns Remote Vulns Vulns in First Party Code Vulns in 3rd Party Code
Vulns in 1999 1 1 0 1 0
Vulns in 2000 1 1 0 1 0
Vulns in 2001 2 0 0 2 0
Vulns in 2002 1 1 1 1 0
Vulns in 2003 9 5 5 5 4
Vulns in 2004 4 2 0 2 2
Vulns in 2005 10 5 5 4 6
Vulns in 2006 38 13 27 10 28
Vulns in 2007 34 18 19 22 12
TOTALS 100 46 57 48 52

 

So what are some of the interesting trends?

  • There have been 100 vulnerabilities disclosed across all of VMware’s virtualization products since 1999.
  • 57% of the vulnerabilities discovered in VMware products are remotely accessible, while 46% are high risk vulnerabilities.
  • 72% of all the vulnerabilities in VMware virtualization products have been discovered since 2006.
  • 48% of the vulnerabilities in VMware virtualization products are in first-party code and 62% are in third-party code that their non-hosted Linux-based products use.
  • Starting in 2007, the number of vulnerabilities discovered in first-party VMware components almost doubled that of vulnerabilities discovered in third-party VMware components. 2007 is the first time where first-party VMware vulnerabilities were greater than third-party VMware vulnerabilities.

How do I interpret these trends?

  • It is clear that with the increase in popularity, relevance and deployment of virtualization starting in 2006, vulnerability discovery energies have increasingly focused on finding ways to exploit virtualization technologies.
  • Combine the vulnerabilities in virtualization software, vulnerabilities in operating systems and applications that still exist independent of the virtualization software, the new impact of virtual rootkits and break-out attacks with the fact that in a virtual environment all your exploitation risks are now consolidated into one physical target where exploiting one system could potentially allow access and control of multiple systems on that server (or the server itself). In total, this adds up to a more complex and risky security environment.
  • Virtualization does not equal security!

So I guess I found the answer to my original question. Virtualization vulnerability data did back up the qualitative trends that we discussed during the interview.

And what were those trends that we discussed during the interview?

  • New virtual computing environments have the potential to be far less secure than traditional physical computing environments.
  • There are security risks, scenarios and vectors that are unique to virtualization software and architectures which must be considered very carefully.
  • It is imperative that security implications be thought about up front when deploying and converting to virtualization in the data center.
  • Given the complexity, sophistication and addition of security risk in a virtual environment, it is critical that virtualization vendors build open and inclusive ecosystems that allow security vendors and their technologies to plug in and integrate to offer the best solutions to these security problems.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.