© Provided by The Register
Beat Microsoft. Set agendas. Became essential. Hiked prices. Now we wait for Broadcom's reign
Special feature In a decade of watching VMware, I've encountered two unverified but irresistible legends about the company.…
One is set in the very, very early days of the company, perhaps even before it opened for business. In this legend, IBM approaches VMware because Big Blue had sniffed the wind, realized x86 servers were going to be a huge market, and wanted to make sure it could bring virtualization to the platform. VMware showed x86 server virtualization was possible, but IBM didn't take matters further.
The second tale involves a meeting in the mid-2000s when then-CEO Diane Green was approached by Amazon.com to discuss what at the time seemed like a very odd request to acquire extraordinary quantities of the ESXi hypervisor on slightly funky terms.
In this story, VMware walked away… and Amazon decided to create its own cut of the open source Xen hypervisor to underpin what became Amazon Web Services.
I mention these stories because today, February 10, is VMware's 25th birthday.
How different might the company be at 25 had IBM engaged, or Amazon made it lord of the cloud? How different might all of enterprise computing be if IBM had prioritized x86 virtualization instead of persisting with its own platforms, or if hybrid cloud and public cloud had been intertwined from the very beginning?
We'll never know.
What we can state with certainty is that VMware at 25 is a singular success: few enterprise software companies ever reach its size or manage to thrive for so long.
Fewer still survive a full-on attack by Microsoft, which came hard at VMware hard in the late 2000s using its favorite tactic of replicating rival products then bundling them at very low cost.
Microsoft tried that with Hyper-V to make it an irresistible alternative to vSphere. But VMware, and its customers, resisted.
vSphere has been the world's server virtualization platform of choice ever since.
The company started life serving developers with a desktop hypervisor so they could more easily test their work in multiple environments. Virtualization was already well known at that time in the mainframe and Unix worlds, but virtual machines on x86 were exotic.
VMware stretched into server virtualization and made it impressively mature just in time to surf server sprawl and the great recession of 2008 that put IT budgets under the microscope.
EMC saw VMware's success in that era, and cunningly acquired it because it saw abstraction of IT resources as the future. The former storage giant was true to its word in allowing VMware to operate independently, even when that meant it pursued virtual storage that made EMC's arrays less relevant.
Virtual storage also made hyperconverged infrastructure possible, creating a welcome new architectural option. VMware next took sufficient strides into software-defined networking that the likes of Cisco and Juniper felt the need to make similar moves which changed their offerings significantly.
All server makers know doing business with VMware is essential, and Dell knew that must not be allowed to change once its acquisition of EMC gave it stewardship of the virtualization giant.
All clouds have embraced VMware as a partner they need if they're to offer a hybrid service users want.
So VMware grew and grew and grew, with revenue on track to crack $12 billion this financial year.
Virtzilla, as The Register likes to call it in homage to its dominance of server virtualization, has not been immune to controversy or error. It misstepped badly with price increases that came to be known as "vTax." In 2015 it paid a colossal fine for misleading pricing. In 2022 it wore an $8 million fine after being accused of shifting revenue into more convenient quarters to make its numbers look prettier.
The company has spent the better part of a decade trying to sort out its container strategy, and I know I'm not alone in thinking that the resulting Tanzu portfolio isn't its most coherent or mature offering. Plenty of players think they have a chance to steal VMware's future by claiming the containerization crown and making virtual machines a legacy afterthought.
In exact years the company has also had some software quality problems, which will be tested as cybercriminals focus on its platforms like never before.
VMware users of my acquaintance grumble about price and bundling of weaker products alongside the essential vSphere and vCenter.
But few quit the company. And plenty participate in its user groups, which have generated a vivid and prolix blogosphere.
Current and former VMware staffers I spoke to for this piece talked about working for the company as a career highlight, often leading to enduring friendships that outlasted their time at the company.
VMware CEO Raghu Raghuram this week posted birthday wishes, and ended his post with: "VMware can celebrate 25 years of success, and look forward to a promising future."
That future will be as the flagship of Broadcom's software division, which last year agreed to acquire VMware for $61 billion. Regulatory necessity means Broadcom has not been able to say much of substance while it concludes the transaction, other than a string of assurances that it treasures VMware and won't upset its customers, partners or wider community.
But when I talk to those stakeholders, they remain nervous.
As should we all. Software companies of VMware's scale and significance are rare, and represent important counterweights to the even larger – and often more ruthless – players that Virtzilla has been able to evade for so long. ®
Three security vulnerabilities affecting VMware's vRealize Log Insight platform now have public exploit code circulating, offering a map for cybercriminals to follow to weaponize them. These include two critical unauthenticated remote code execution (RCE) bugs.
The vRealize Log Insight platform (which is transitioning its name to Aria Operations) provides intelligent log management "for infrastructure and applications in any environment," according to VMware, offering IT departments access to dashboards and analytics that have visibility across physical, virtual, and cloud environments, including third-party extensibility. Usually loaded onto an appliance, the platform can have highly privileged access to the most sensitive areas of an organization's IT footprint.
"Gaining access to the Log Insight host provides some interesting possibilities to an attacker, depending on the type of applications that are integrated with it," said Horizon.ai researcher James Horseman, who did a deep dive into the public exploit code this week. "Often, logs ingested may contain sensitive data from other services and may allow an attack to gather session tokens, API keys, and personally identifiable information. Those keys and sessions may allow the attacker to pivot to other systems and further compromise the environment."
Organizations should take note of the risk, especially since the barrier to exploitation for the bugs — aka, the access complexity — is low, says Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), which reported the vulnerabilities.
"If you are doing centralized log management with this tool, it represents a significant risk to your enterprise," he tells Dark Reading. "We recommend testing and deploying the patch from VMware as soon as possible."
Inside the VMware vRealize Log Insight Bugs
The two critical issues carry severity scores of 9.8 out of 10 on the CVSS scale and could allow an "unauthenticated, malicious actor to inject files into the operating system of an impacted appliance which can result in remote code execution," according to the original VMware advisory.
One (CVE-2022-31706) is a directory traversal vulnerability; the other (CVE-2022-31704) is a broken access control vulnerability.
The third flaw is a high-severity deserialization vulnerability (CVE-2022-31710, CVSS 7.5), which could allow an unauthenticated malicious actor to "remotely trigger the deserialization of untrusted data, which could result in a denial of service."
Creating a Bug Chain for Complete Takeover
Horizon.ai researchers, after identifying the exploit code in the wild, discovered that the three issues could be chained together, prompting VMware to update its advisory today.
"This [combined] vulnerability [chain] is easy to exploit; however, it requires the attacker to have some infrastructure setup to serve malicious payloads," Horseman wrote. "This vulnerability allows for remote code execution as root, essentially giving an attacker complete control over the system."
That said, he offered a silver lining: The product is intended for use in an internal network; he noted that Shodan data turned up 45 instances of the appliances being publicly exposed on the Internet.
That does not, however, mean that the chain can’t be used from within.
"Since this product is unlikely to be exposed to the Internet, the attacker likely has already established a foothold somewhere else on the network," he noted. "If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done.”
The three bugs were first disclosed last week by the virtualization giant as part of a cache that also included one other, a medium-severity information-disclosure bug (CVE-2022-31711, CVSS 5.3) that could allow data harvesting without authentication. The latter doesn't yet have public exploit code, though that could quickly change, particularly given how popular of a target VMware offerings are for cybercriminals.
There could also soon be multiple ways to exploit the other issues, too. "We have proof-of-concept code available to demonstrate the vulnerabilities," ZDI's Childs says. "We would not be surprised if others figured out an exploit in short order."
How to Protect the Enterprise
To protect their organizations, admins are urged to apply VMware's patches, or apply a published workaround as soon as possible. Horizon.ai has also published indicators of compromise (IoCs) to help organizations track any attacks.
Also, "if you are using vRealize or Aria Operations for centralized log management, you need to check what type of exposure that system has," Childs advises. "Is it connected to the Internet? Are there IP restrictions for who can access the platform? These are additional items to consider beyond patching, which should be your first step. It's also a reminder that every tool or product in an enterprise represents a potential target for attackers to gain a foothold."
Cloud News
O’Ryan Johnson
‘I truly believe this is the age of the partner. Look at edge, look at AI, look at all of the trends that we‘re seeing throughout the IT industry. There’s just so much opportunity, where do you focus? The way to do it is by partnering together,’ says VMware head of worldwide partner and commercial organization Ricky Cooper.
VMware’s head of worldwide partner and commercial organization, Ricky Cooper, is on a mission to recruit the best partners around the globe: resellers, systems integrators and distributors who can understand and solve the complex technical problems that drive progress.
“The only way we are going to succeed is to have partners on board who understand our technology, and can deploy our technology,” Cooper told CRN.
With the coming launch of Partner Connect 2.0 Cooper said VMware will reward partners who have invested in reaching technical designations such as solution competencies, master services competencies, validated services offerings, and who are cloud verified. Partners with those abilities will earn more points towards tier progression.
“I keep referring to the fact that this is the age of the partner,” Cooper said. “And I truly believe this is the age of the partner … Look at edge, look at AI, look at all of the trends that we’re seeing throughout the IT industry. There’s just so much opportunity, where do you focus? The way to do it is by partnering together.”
But it can’t be a one-way street, Cooper said, with only the partner investing in their employees and VMware’s success. He said rewarding technically mature partners with tier progression is the first step. The second is passing along work for those partners.
“One we’ll reward and two we will also make a huge effort to ensure that we’re passing as many services opportunities as we can to our partner ecosystem, and you’ll see a huge change,” he said. “There was a tendency before, when the pie is a bit smaller, and you’ve got large ELAs, we were taking on a lot of that services. work ourselves. Things are really opening up... how does a partner ensure they have got increased profitability? By becoming an expert in our technology, and being a valued services partner, and taking on some of these services.”
VMware is on a path to forging more strategic relationships with a smaller set of partners through the new Pinnacle Tier of its Partner Connect Program, Cooper said. It will dedicate a worldwide leader to the Pinnacle Tier to centralize VMware’s Pinnacle Programs and form a community for its largest resellers. He said Pinnacle Partners will have a much tighter level of engagement such as executive sponsorship, managed account coverage, and joint business plan development.
Pinnacle Partners will also have access to a Big Bet program which drive jointly aligned goals with targeted outcomes and is separate to the Partner Connect program and incentives.
“We will invest resources, marketing dollars, Test Labs, etc. in the Big Bets program,” he said. We can’t share with you at this time which partners make up the Pinnacle Tier, but we can tell you the list will include major reseller partners, amongst other partner types.”
The company is in the midst of a $61 billion takeover by chipmaker giant Broadcom. Broadcom CEO Hock Tan singled out the need to move more VMware customers into subscription licenses as well as Broadcom’s embrace of VMware’s partner ecosystem in his first comments on the proposed deal back in May.
Here’s more of what Cooper had to say.
Cybercriminals are actively exploiting a two-year-old VMware vulnerability as part of a ransomware campaign targeting thousands of organizations worldwide.
Reports emerged over the weekend that VMware ESXi servers left vulnerable and unpatched against a remotely exploitable bug from 2021 were compromised and scrambled by a ransomware variant dubbed “ESXiArgs.” ESXi is VMware’s hypervisor, a technology that allows organizations to host several virtualized computers running multiple operating systems on a single physical server.
France’s computer emergency response team CERT-FR reports that the cybercriminals have been targeting VMware ESXi servers since February 3, while Italy’s national cybersecurity agency ACN on Sunday warned of a large-scale ransomware campaign targeting thousands of servers across Europe and North America.
U.S. cybersecurity officials have also confirmed they are investigating the ESXiArgs campaign. “CISA is working with our public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed,” a CISA spokesperson told TechCrunch. “Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI.”
Italian cybersecurity officials warned that the ESXi flaw could be exploited by unauthenticated threat actors in low-complexity attacks, which don’t rely on using employee passwords or secrets, according to the Italian ANSA news agency. The ransomware campaign is already causing “significant” damage due to the number of unpatched machines, local press reported.
More than 3,200 VMware servers worldwide have been compromised by the ESXiArgs ransomware campaign so far, according to a Censys search (via Bleeping Computer). France is the most affected country, followed by the U.S., Germany, Canada and the United Kingdom.
It’s not clear who is behind the ransomware campaign. French cloud computing provider OVHCloud backtracked on its initial findings suggesting a link to the Nevada ransomware variant.
A copy of the alleged ransom note, shared by threat intelligence provider DarkFeed, shows that the hackers behind the attack have adopted a “triple-extortion” technique, in which the attackers threaten to notify victims’ customers of the data breach. The unknown attackers are demanding 2.06 bitcoin — approximately $19,000 in ransom payments — with each note displaying a different bitcoin wallet address.
In a statement given to TechCrunch, VMware spokesperson Doreen Ruyak said the company was aware of reports that a ransomware variant dubbed ESXiArgs “appears to be leveraging the vulnerability identified as CVE-2021-21974” and said that patches for the vulnerability “were made available to customers two years ago in VMware’s security advisory of February 23, 2021.”
“Security hygiene is a key component of preventing ransomware attacks, and organizations who are running versions of ESXi impacted by CVE-2021-21974, and have not yet applied the patch, should take action as directed in the advisory,” the spokesperson added.
Updated with comment from CISA.
Security News
Kyle Alspach
By exploiting the vulnerabilities in VMware’s vRealize Log Insight tool, an attacker could seize control of an impacted system, the U.S. cybersecurity agency said Wednesday.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging the deployment of patches for vulnerabilities affecting a VMware log management and analytics tool, including two vulnerabilities that have received a “critical” severity rating from VMware.
The two critical vulnerabilities affecting VMware’s vRealize Log Insight tool could be leveraged to enable remote execution of code on a system by an unauthenticated user, the company said. In other words, “a remote attacker could exploit these vulnerabilities to take control of an affected system,” CISA said in its advisory Wednesday.
“CISA encourages users and administrators to review VMware Security Advisory VMSA-2023-0001 and apply the necessary updates,” the agency said.
[Related: Microsoft Seeing Exploits Of Windows Zero Day Vulnerability]
While both VMware and CISA are referring to the affected tool as vRealize Log Insight in their advisories, presumably because that is the more-recognizable name, the tool has actually been renamed and is official now known as VMware Aria Operations for Logs, according to VMware’s website.
The two VMware vulnerabilities that could enable remote code execution are:
- A “directory traversal” vulnerability (tracked at CVE-2022-31706), through which “an unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution,” VMware said. The vulnerability has been given a “critical” severity rating with a score of 9.8 out of 10.0.
- A broken access control vulnerability (tracked at CVE-2022-31704), with which “an unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution,” VMware said. The vulnerability has also been given a “critical” severity rating with a score of 9.8 out of 10.0.
The two other vRealize Log Insight vulnerabilities disclosed this week by VMware include a deserialization vulnerability (with a severity score of 7.5, considered to be of “important” severity) and an information disclosure vulnerability (with a severity score of 5.3, considered to be of “moderate” severity).
When it comes to the ongoing issue of needing to address vulnerabilities in software, the key for organizations is to get a handle on what the genuine business impact will be from any given vulnerability — and then prioritize accordingly, according to Brad Davenport, vice president of technical architecture for cybersecurity, networking and collaboration at Logicalis US, No. 66 on the 2022 CRN Solution Provider 500.
“With so many different solutions in your infrastructure, with so many different software suites, you can’t possibly be expected to be 100 percent patched all of the time,” Davenport told CRN. “It’s a constant prioritization game to determine what ultimately is the business impact, and then to really prioritize those things.”
Being able to prioritize in that way, however, is an area that many businesses struggle with. Many businesses “have not yet reached that level of maturity, where they understand what the genuine business impact of vulnerabilities are,” he said.
That’s prompted many organizations to seek out advisory services for these types of scenarios from providers that offer them such as Logicalis US, Davenport said.
“What we’ve tried to do is push that conversation further outside of the IT decision makers, and talk more generally with the business leaders and business owner about risks” from issues such as software vulnerabilities, he said.
Cybersecurity agencies in Europe are warning of ransomware attacks exploiting a two-year-old computer bug as Italy experienced widespread internet outages.
The Italian premier's office said Sunday night the attacks affecting computer systems in the country involved "ransomware already in circulation" in a product made by cloud technology provider VMware.
A Friday technical bulletin from a French cybersecurity agency said the attack campaigns target VMware ESXi hypervisors, which are used to monitor virtual machines.
Palo Alto, California-based VMware fixed the bug back in February 2021, but the attacks are targeting older, unpatched versions of the product.
The company said in a statement Sunday that its customers should take action to apply the patch if they have not already done so.
"Security hygiene is a key component of preventing ransomware attacks," it said.
The U.S. Cybersecurity and Infrastructure Security Agency said Sunday it is "working with our public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed."
The problem attracted particular public attention in Italy on Sunday because it coincided with a nationwide internet outage affecting telecommunications operator Telecom Italia, which interfered with streaming the Spezia v. Napoli soccer match but appeared largely resolved by the time of the later Derby della Madonnina between Inter Milan and AC Milan. It was unclear whether the outages were related to the ransomware attacks.
To ensure this doesn’t happen in the future, please enable Javascript and cookies in your browser.
If you have an ad-blocker enabled you may be blocked from proceeding. Please disable your ad-blocker and refresh.
