VMware Security Note: ESX Source Posted

The VMware Security Response Center has just posted the following announcement

Yesterday, April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.

The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers


Update, April 25th: I’ve been contacted to discuss this story in more detail. Here are some general points I have made.

  • VMware is being proactive in notifying customers and the public. They will provide further details if/when necessary but you can see from the announcement that they are attentive to risk and assessing it thoroughly. There was no prior announcement.
  • The breach of the China National Electronic Import-Export Company (CEIEC) at the start of this month (Apr 2nd) is being reported as related to this announcement. The US Government imposed sanctions against CEIEC in December of 2006 (FR Doc No: E6-22630) under “Section 3 of the Iran and Syria Nonproliferation Act”.
  • Do not download files from the CEIEC breach without taking special precaution against malware and exploits

2nd Update, April 25th: The Register has posted a blurry image of the stolen code, covered in “Death Card” images. That is probably an historical reference to the “Ace of Spades,” which has been popularised as a victory taunt in American pop-culture.

The actual effect of the card, however, is far from what has been depicted in Hollywood and thus likely to be different from what was intended by those releasing the ESX code. Its history and effect is explained in detail by PsyWarrior, who includes a quote attributed to “Lieutenant Colonel William J. Beck who commanded the 4th PSYOP Group from 15 October 1967 to 7 October 1968”:

Any survey of the PSYOP program in Vietnam reveals that many psy-operators are frustrated by the lack of signs of tangible success in the PSYOP effort…Perhaps in an attempt to overcome this deficit many appear to be impressed with the values of what can only be called propaganda gimmicks. This includes the use of the ace of spades, special lighting effects, and ghostly loudspeaker broadcasts.

This aspect, unfortunately has often reduced idea formation on the part of these operators and staff to the level of “gimmicky” and more or less desperate attempts to find a quick solution and dramatic breakthrough. This is not good PSYOP.

The Ace of Spades, therefore, appears historically to be a reference to attackers who struggle from “lack of signs of tangible success”.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.