The answer to that question should be obvious, but it became a headline earlier today when word got out about a big hack affecting 100.000 sites. All data for these sites was removed when servers at Vaserv.com were brought down by a zero-day exploit in LXLabs’ HyperVM software.
HyperVM is a solution that allows for centralized management of both Xen and OpenVZ-based virtual machines. The flaw allowed arbitrary commands to be executed with “root” permissions, which led to complete servers being wiped. In fact, there are allegedly many security issues in this product. So in the case of Vaserv, there were two extra layers at which security issues could arise:
- The virtualization layer (Xen or OpenVZ)
- The management application (HyperVM)
Much has already been said about the security of virtual environments (cloudsecurity.org is a nice starting point for anyone that wants to read more about this subject), but this is a real example of how any software you add can also add security vulnerabilities. In this case, it looks like the HyperVM management console is directly accessible for customers. While this allows clients to view nice statistics and make realtime changes, there are some nasty side-effects.
Looking at the best-known virtual computing service, Amazon’s EC2, their service is structured in a much better way. There is a central provisioning system, but it doesn’t make realtime changes; you’ll have to wait a while for requested changes or new machines to become live. That probably means the provisioning system that actually creates and manages the virtual machines is not connected directly to the customer interfaces. But that still means EC2 machines have an extra layer of potential security issues; the Xen virtualization software that they use. If anyone manages to break out of their virtual machine, they could potentially gain access to other virtual machines on the same host machine, or possibly even to a shared storage network.
Will this change how people look at virtual machines and cloud computing? I doubt this incident alone will do so, but I do expect to see some of the larger hosters pay more attention to their hosting products that are based on real, physical servers; and we might even see Amazon offer real, physical server hosting in the near future.