Today, Iain Mulholland, Director of the VMware Security Response Center, posted a VMware Security Note on one of the VMware corporate community blogs that announced a single file from its ESX hypervisor source code was leaked and posted online. And he alluded to the fact that even more proprietary files may be posted in the future. Mulholland wrote:
Yesterday, April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.
The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers. VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today. We take customer security seriously and have engaged internal and external resources, including our VMware Security Response Center, to thoroughly investigate. We will continue to provide updates to the VMware community if and when additional information is available at http://blogs.vmware.com/security/
The potential risk of the leaked source code file really depends on what piece of the code was compromised. Is it part of the old Console? Or is it part of the VMM? VMware's source code is proprietary and closed, but the virtualization giant does share it with a few select companies outside of their walls. VMware has a co-development program called the Community Source Program which provides access to source code for ESX to enable qualified partners to develop new features and/or advanced virtualization technology that can be integrated with VMware Infrastructure. For the most part, I believe the program was created to help support hardware vendors so that they could create drivers and such, as an example.
In 2008, VMware introduced a more slimmed down version of ESX, called ESXi. It was a more secure platform, having removed things such as the old console, and it's smaller size allowed it to be distributed and embedded into server motherboards.
VMware is looking for the breach. Now we wait until we learn more about what exactly was leaked and if anything else is leaked in the coming days, weeks or months. Stay tuned!