VMware vulnerabilities survey

Software is usually affected by some kinds of security vulnerabilities. Vulnerabilities can be classified into several types, in order to ease their impact analysis, providing a common thought framework. Virtualization products aim to allow users to abstract the  physical hardware details and provide them with means to install multiple virtual machines. Some virtualization users often tend to forget or ignore that this additional software layer exposes them to additional attack vectors and potential vulnerabilities. In this paper, we analyze the known vulnerabilities for VMware, a well known virtualization product.

Check the Full Paper:


Screen Shot 07-07-16 at 05.06 PM.PNG


NSA’s “Equation Group” and hard drive firmware modification and malware installation (GRAYFISH / EQUATIONDRUG)

According to Kaspersky:

“The Equation group is a highly sophisticated threat actor that has been
engaged in multiple CNE (computer network exploitation) operations dating
back to 2001, and perhaps as early as 1996. The Equation group uses multiple
malware platforms, some of which surpass the well-known “Regin” threat in
complexity and sophistication. The Equation group is probably one of the most
sophisticated cyber attack groups in the world; and they are the most advanced
threat actor we have seen.”

The Kaspersky engeneers think that “GRAYFISH” and “EQUATIONDRUG” are the most sophisticated and dangerous malware around, because they can modify the victim’s hard disk firmware.

“This is a file that shows the job postings for NSA interns, you can find a NSA wiki link in the last page. And this is very interesting:

(TS//SI//REL) Create a covert storage product that is enabled from a hard drive firmware modification. The ideia would be to modify the firmware of a particular hard drive so that it normally only recognizes half of its available space. It would report this size back to the operating system and not provide any way to access the additional space.”

“The whole point of this is that they (NSA) have worked out how to re-write the HDD firmware, which is usually just about impossible. Then it is read every time the disk is used, if they want. Your AV can’t see it, & it wouldn’t shock me if they had figured out a secondary way to send the data out.”

“The problem comes from the fact there’s a standardized API to write the firmware but no API to read it. This means we can’t easily check if a HDD has been compromised. Several suggested solutions from our side include: firmware signing and checking on the disk side, firmware write-protect switch on the HDD and the ability to read the firmware easily and check for alterations.”