• Mike Ghazaleh

Can ESXi get infected by malware?

I began my career by working with ESXi 3 or 4 (I can't quite recall which). At the time, it was really just a cool way to have a few VMs in our environment, augmenting the high number of bare metal servers we had.

Obviously times have changed, and now many organizations are 90%+ virtualized, if not completely virtualized and depending upon a solution such as VMware ESXi to take care of that. Naturally, when talking with customers about using ESXi, the question does occasionally come up: Can ESXi get infected by malware? Can an attacker gain access to ESXi, then ultimately my VMs? What if a VM gets infected, can an attacker escape the VM and take control of the entire host? These are all legitimate questions, and I hope to clear up some of them today.

Can ESXi itself get infected by some sort of malware/ransomware?

A general rule of thumb is, if it has a CPU, some sort of memory and storage, you can probably compromise it! ESXi is no exception to this rule. Thankfully, there hasn't been any public-facing stories of this happening. That's saying a lot, considering how many organizations have been breached in the last 5 years alone, and ESXi has been around since the early 2000s.

That said, the best example of ESXi getting infected, is the VirtualPITA and VirtualPIE. Both of these are backdoors which create listeners on your ESXi hosts, and look a lot like a legitimate VMware Installation Bundle. This makes them exceptionally dangerous, as they can easily persist in an environment undetected for a long period of time. You can find some guidance from VMware on how to mitigate, and detect these types of malware here.

If infected with this form of malware, they support arbitrary command execution and reverse shell - which essentially means your host is truly at the mercy of the attackers. In this scenario, your VMs are not safe either.

Thankfully, preventing this form of malware is relatively easy and relies on a few simple things such as:

  • Changing the default ESXi behavior to only allow signed VIBs (default is PartnerSupported in versions prior to ESXi 8). vSphere 8 disables third party VIB installs by default. You can change this with the Host Acceptance Level setting.

  • Enable SecureBoot

  • Keep ESXi hosts updated/patched

  • Follow general security best-practices as it relates to installing software from known sources, maintaining a secure identity source (such as Active Directory), etc.

Can an attacker move from host to VM? And vice versa?

In short, not really, although it is technically possible. This is because there are inherently communication channels between VMs and the host known as Virtual Machine Communication Interface (VMCI). On the VM-side, this is done via VMware Tools. You can selectively disable pieces of this, and that's actually the recommendation in the VMware security hardening guides.

Now, onto the million dollar question:

Can an attacker 'escape' a VM and take ownership of the ESXi host?

This has been debated for a while. It was technically possible to escape a VM using VMware Workstation, as was detailed by some security researchers at the BlackHat conference a few years ago. VMware subsequently made some updates and soon said it was no longer possible. VMware says there has never been an attack "in the wild" using VM escape on the ESXi hypervisor.

So, never say "never" - but, in 20+ years of being on the market, ESXi has not had a VM escape. That said, there's some excellent information you can find here which provides more technical detail on why this isn't really possible/likely in ESXi. This was written by Mike Foley, one of the best experts when it comes to ESXi security.


Recent Posts

See All