You are doing it WRONG. Failures in Virtualization Systems. A tragedy in 3 acts By Claudio Criscione

Transcription

1 You are doing it WRONG Failures in Virtualization Systems A tragedy in 3 acts By Claudio Criscione

2 /me Claudio

3 They are in Spain in 1982

4

5

6 Enough about Italy Let's get to (another) tragedy

7

8

9 The Stats 5 man/days 18 0days

10 VASTO was born from this vasto.nibblesec.org

11 A complex problem

12 Many components

13 CPU isolation Availability Management Scalability And so on

14 Can we do better? Let's see

15 Your Mission Should you decide to accept it, is to design a virtualization infrastructure You want it to be SECURE RELIABLE MANAGEABLE

16 REMEMBER

17 It is the MOST critical part your infrastructure

18

19 What you DON'T WANT Large attack surface Tons of different web services Huge OS footprint Like Windows Legacy stuff Like embedded app servers Managed by the same IT guys

20 SOUNDS FAMILIAR?

21 The driving forces of virtualization*

22 Time to market

23 Efficiency As easy as possible. Money Saving As little

24 Security Security has never been so important. However, security today means, mostly, CPU level sec or VM segregation, or inside the VM security!

25 Complexity

26 INCREDIBLY COMPLEX INFRASTRUCTURES MADE EASY QUICK TO MARKET HAVE TO ACHIEVE MONEY SAVING SECURED AT THE HYPERVISOR LEVEL

27 The Results? Security is not keeping up with this.

28 The best approach we can think of is the manual audit of the hypervisor code and to keep the hypervisor as small and simple as possible. The Invisible Things

29 The story so far OR How do I own you

30 Attack Scenario

31 Everyone is securing the VMs Securing the VM => Improve your current, no virtualization security Securing the hypervisor => Mandatory requirement, or no virtualization

32 Mapping security T0:RELEASE Time Attack Complexity Low Hanging Fruits WTF?!?! Standard issues WOOOOPS Did the homework

33 Mapping security Time Attack Complexity Low Hanging Fruits E WTF?!?! vo l ut io n Standard issues WOOOOPS Did the homework

34 VMware Complexity Time Year XSS/CSRF/Web Unsafe File or Config Path traversal, sanitization Memory Corruption

35

36 Is it that bad?

37 XSS? Yes, thank you

38 A quick demo XSS'ed! Builds channel gives session vcenter Pwnage VASTO vasto.nibblesec.org Visits evil link

39 Log Files

40 vpxd-profiler A debug file written by vcenter. With a surprise. SessionStats/SessionPool/Session/Id='06B90BCBA0A4-4B9C-B680-FB72656A1DCB'/ Username= FakeDomain\FakeUser'/ SoapSession/Id='AD45B176-63F BBF0FE1603E543F4'/Count/total 1 Update: this has just been fixed!

41 Read-only access == takeover

42 Shell Escape

43 BONSAI Oracle VM (2.1.5 Unbreakable) Authenticated As the virtualization admin, not a system user! Remote code exec Virtualization admin system root Bye bye accountability...

44

45 if it ain't broke, don't fix it Bert Lance

46 The Actual Challenge IT / Virtualization Vs Security

47 Our Goal Bringing back security to the security team Harden the virtualization infrastructure

48 Introducing a new old idea The idea

49 Virtualization Cells

50 Defining a vcell It is an atomic management unit, which defines a service or a group of services, is technologically uniform and logically self contained

51 Ok, we've got the cells What now?

52 The vgatekeeper

53 vgatekeeper Expectations CAUTERIZATION AGNOSTICISM Central Mandatory Access Control

54

55 Current implementations Modern virtualization and cloud solutions run on top of Web Services [SOAP] [APIs & Delta APIs]

56 Ok, that's not entirely true Proprietary protocols Command line tools But we cover most targets

57 The Strategy vcell 4 vcell 1 Cloud vcell 2 Providers vcell 5 vcell 6 vcell 3 vgatekeeper Management Node Another wonderful diagram by OpenOffice Admin

58 The PoC - VMware vcenter - ESXi - Compromised vcenter - Services to protect - VASTOkeeper

59 Easy

60 Mod-security to the rescue We use mod security and Apache as our rules enforcer We proxy VMware vcenter and vclient and everything else We decide what goes through and what doesn't

61 Sample rules Thou shalt not TURN OFF THAT VIRTUAL MACHINE Thous shalt not HAVE THE ACTUAL ROOT PASSWORD

62 Proving that!

63 vcell 1 ESXi client vcenter VASTOkeeper Linux + modsecurity + rulegen ESXi

64 So, what have we achieved?

65 Additional protection for the infrastructure [You can't reach it anymore] Mitigation of incidents [Call it hardening if you wish apparmor/selinux anyone?] Protecting all the cloud & virtualization landscape

66 I call this defence

67 Issues

68 However... Control is BACK TO SEC- TEAM The attack surface just got... smaller

69 Maybe the next XSS won't be as devastating

70 Questions

71 You are doing it WRONG Failures in Virtualization Systems A tragedy in 3 acts By Claudio blackfire@nibblesec.org