VM BPDU spoofing attack works quite nicely in HA clusters

When I wrote the Virtual switches need BPDU guard blog post, I speculated that you could shut down a whole HA cluster with a single BPDU-generating VM ... and got a nice confirmation during the Troopers 13 conferenceERNW specialists successfully demonstrated the attack while testing the security aspects of a public cloud implementation for a major service provider.

For more information, read their blog post (they also have a nice presentation explaining how a VM can read ESXi hard drive with properly constructed VMDK file).


  1. Reason more to implement Nexus 1KV or similar product and have a proper switch in virtual access layer.
  2. Hi

    This happend to me...!!

    We run a Nexus network with FEX and on Cisco FEX you can not disable BPDU guard and BPDU filter is not an option.

    So one of the server guys started up a Citrix Netscaler and enabled spanning-tree and this took down one host at a time.

    So cluster = dead!

    Thank god you now have the option to enable BPDU guard on vSphear 5.0
    1. You don't have BPDU Guard on vSphere 5.1, it's BPDU filter.


      Nexus 1000V is no better (apart from the fact the BPDU filter is enabled by default ;).

      In both cases, you're preemptively killing canaries:

    2. Ivan your right :) BPDU Filter...

      I just want a "REAL" software switch.

      Do you have any idea why they made the FEX the way they did? No spanning-tree support :(

    3. A little bit off-topic perhaps, but I thought it might be useful to note that Citrix NetScaler does NOT partake in Spanning Tree. It is not possible to enable spanning tree on Citrix NetScaler.
      It is best practice to enable "Bridge BPDU" mode NetScaler when operating the NetScaler in Layer 2 mode in order to avoid accidental forwarding loops.
      Also, with Layer 2 mode enabled on NetScaler, it is entirely possible to configure topologies that will result in forwarding loops that STP cannot resolve.

    4. Just looked in the documentation .. :) and your right.

      In both modes of operation, L2 and L3, a NetScaler generally drops packets that are in:
      w Multicast frames
      w Unknown protocol frames destined for a NetScaler's MAC address (non-IP and non-ARP)
      w Spanning Tree protocol (unless BridgeBPDUs is ON)

  3. Ivan,

    thanks for the reference. Just a short note on the VMDK file stuff. There's a much more comprehensive write-up here: https://www.ernw.de/download/ERNW_Newsletter_41_ExploitingVirtualFileFormats_signed.pdf.


Add comment