VMware Under Attack Again—Three New Zero Days! | Tech News of the Week

[00:00:00.00]
Announcer: Welcome to Tech News of the Week with your host, The Rhythm of the Night, The Night.

[00:00:06.00]
Ned: Welcome to Tech News of the Week. This is our weekly Tech News podcast where Chris and I get into four interesting things that jumped in front of us this week. What jumped in front of you, Chris?

[00:00:21.18]
Chris: I don't have a good response to that, so I'm just going to go.

[00:00:24.12]
Ned: Okay.

[00:00:25.23]
Chris: The solution to the scourge of social media is more social media? One of the original creators of Reddit sure thinks so. So just a little bit of history. Reddit, which is a super popular website that sucks now, was created by three people who were idealistic and just wanted to create a lightweight website where people could share news and links and memes and cat photos and talk about it. And that was it. Yep. One of those people tragically died. One of the others left the company because of the third one, WhoSucks. Naturally, the one who sucks is the one that took Reddit public and ruined it for his own personal profit. Great guy. Anyway, Alexis Ohanian, the other one, the one who didn't die and doesn't suck, recently teamed up with the creator of erstwhile Reddit competitor, Digg, to go ahead and give Digg one more college try. Digg was popular in the mid 2000s for reasons that I don't 100% remember because it was a long time ago, and I don't like to talk about the grinding unbreakable passage of time right now. And hey, also, why don't you get off my back about it for about five seconds?

[00:01:44.23]
Chris: Yeah?

[00:01:45.21]
Ned: Good. Yeah.

[00:01:47.20]
Chris: Digg was the simplest version of a link sharing site. But unfortunately, it was also poorly managed, abandoned, and sold for scrap in about 2012. But now it's back. Well, I mean, not back yet, but it's back soon. And they're incorporating AI because it's 2025, and of course they are. I just looked and the site is up, but it is definitely not back. It is, however, accepting email addresses if you want to go ahead and get on the list for an early invite. Also, the website reminded me that Digg had a clever tagline that was Digg, the front page of the Internet, which I think made sense at the time, but I wonder if the youths will be confused by it now. Yes. Actually, did it make sense at the time? We're talking about 2006. I'm pretty sure Jinkos were still a thing. Maybe things making sense was not what was in.

[00:02:55.17]
Ned: No. Being able to house a small homeless population under your legs, that was in. The EU dares to risk it all. That works a lot better in print. Risk 5 continues its ascendance with an EU-based group providing funding and guidance for adoption of Risk Five in their next generation of supercomputers and HPCs. The group called D. A. R. Is short for Digital Autonomy with Risk Five for Europe, and it has scraped They put together $260 million in funding to drive the development of three chiplets that can form the basis for a processor in HPC gear. Each chiplet will be designed by a different company, with the Vector Math Accelerator being farmed out to open chip, an inference chiplet being assigned to Axelera AI, and a general purpose die given to CodaCip. All three of these companies are EU-based, and two of them, Axelera CodaCip, already have Risc-V designs in production. The overall project is planned for six years, with chipsets being available in three years. That is a fairly tight timeline when it comes to chip design and manufacture, and they may find themselves stymied by long wait times at the old chip fab. The EU is not alone in pushing for an arm and X86 free future in the supercomputing and HPC space, with both India and China also adopting the open and a loyalty-free ISA standard.

[00:04:32.10]
Ned: With trade wards escalating across the globe and the US being a licensing bully, selecting an open standard does seem like the responsible thing to do. Still, with the RISC-V being a totally new ISA, there is copious low-level programming to be done for it to reach parity with established architectures. Fortunately, the rise of Arm forced developers to think about alternate architectures that weren't X86, and so, ironically, Basically, the work of arm to supplant X86 may be the instrument of its own eventual replacement.

[00:05:09.19]
Chris: Three more zero days announced for VMware. People said that Broadcom stopped innovating. From the, I swear, we wrote about this already, but we can't have done because it's a zero day, and that's not how zero days work Department, Broadcom announced three zero day attacks against VMware ESX products that have been exploited in the wild. Fun. Cve 2025-02222-4, 5, and 6 were announced on March fourth. 22224, the worst one, is at a critical level and would allow local attackers who have administrative rights on a virtual machine to execute code as VMX on the ESXI host. Very bad. The other two involve a Sandboxescape, also bad, and read access to leaked memory from the Hypervisor. Not ideal. These vulnerabilities, in addition to being very dangerous, were in fact reported to Broadcom by Microsoft. I actually don't have that much more to add to this, so we can keep this one short. Yes, you your ESXI hosts aren't, or at least, God help us, they shouldn't be accessible from the network. This does not mean that they are not an attack vector. These things do crop up, most recently in November of 2024, and the fixes for them need to be applied as soon as possible.

[00:06:49.18]
Chris: If you haven't applied the fixes for the November 2024 issues, go ahead and apply those too. I promise you there will be no as given for the ESX iBox with the most uptime now or in the future.

[00:07:07.06]
Ned: Sticking with VMware, Broadcom rent extraction is successful. Yay for short term gain and lucky in large customers. When Broadcom was trying to sell its $69 billion purchase of VMware to investors, CEO Hoktan promised that VMware's run rate would balloon from 4. 7 billion to 8. 5 billion in just a couple of years after the acquisition. The only way to accomplish this goal would be to make some serious cuts to existing staff and massively increase the cost of the product. Don't sell more, just sell less for more. By all accounts, Broadcom has done both with layoffs at VMware and price increases of 2X to 10X, what customers are currently paying. Broadcom did so by removing existing SKUs that broke out products separately and bringing them all under the VMware Cloud Foundation umbrella. The result, according to Broadcom's earnings call, the vast majority of their 10,000 biggest customers have gotten on board with the enhanced licensing packages, and the revenue is rolling in to the tune of an estimated 3. 4 billion in Q1 of 2025. It's not entirely surprising that so many large customers got in line with Broadcom's machinations. After all, these large customers are deeply entrenched in the VMware ecosystem, and rapidly deploying an alternative solution is just not a viable option.

[00:08:39.03]
Ned: Instead, I suspect many of these customers have swallowed the bitter pill of VCF while making plans on the side to eventually migrate away from Broadcom. Competitors like Nutanix are banking on this slow migration and have already seen modest gains from smaller customers that jumped ship rather than pay the VCF tax. My is that over the next decade, VMware revenue will peak early on and then start its slow decline into oblivion, which probably suits Broadcom just fine. They'll simply move on to acquire the next rent extraction vehicle while keeping VMware on life support until it is no longer a viable concern. It's a depressing elgie for what was once a shining beacon of tech innovation. Yay. All right, that's it. We're done now. Go away. Bye.