In case you needed more encouragement to move to ESXi here’s a good reason. The recent Linux vulnerability that was announced that can give attackers root access to a system effects the ESX 4.x Service Console as well as it is based off Red Hat Linux with the 2.6.28 kernel. The vulnerability affects nearly all 64-bit Linux distros but is not present in 32-bit Linux distros. Because of that the ESX 3.x Service Console is not affected by this. Apparently VMware is aware of this and a patch is in the works so be on the lookout for it and patch your systems immediately. If an attacker were to gain root access to your ESX Service Console they could easily gain access to all your VM’s as well. ESXi systems are not affected at all as they do not run a full Linux operating system and instead run a small POSIX based environment that has a smaller attack surface.
Sep 22 2010
Hi there. Many thanks for this information!
At first stance I thought that the ESX 4.x servers could be unaffected, but what I didn’t know is that Red Hat patched his RHEL5 with a backport that already includes the fix that causes this security problem.
“This issue affects the 64-bit versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, as they include a backport of the upstream git commit 42908c69, which introduced the compat_mc_getsockopt() function that a local, unprivileged user can use to abuse the compat_alloc_user_space() call to escalate their privileges…”
Sure, getting rid of the service console reduces your exposure to vulnerabilities. It also reduces your functionality. If you get rid of all of your VMs, you will reduce your security exposure even more.
I know I’m in the minority, but one of the appealing things about ESX has always been the familiar *nix environment and associated administrative capability. I’ll miss it when it’s gone, and I am watching Red Hat’s virtualization offering with great interest.
unhappy in ann arbor