New Vulnerability Discovered in VMware Cloud Director
Cybersecurity researchers have recently revealed a significant vulnerability within VMware’s Cloud Director platform, potentially granting attackers unauthorized access to sensitive information and control over private cloud infrastructures. This vulnerability, identified as CVE-2020-3956, arises from insufficient input validation, enabling authenticated attackers to inject malicious code into the platform. The severity of this flaw is underscored by its score of 8.8 out of 10 on the CVSS v3 scale, categorizing it as a critical threat.
VMware Cloud Director, widely utilized for deploying, automating, and managing cloud resources, allows businesses to organize distributed data centers into virtualized environments. This vulnerability affects various versions of VMware Cloud Director: 10.0.x prior to 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x prior to 9.1.0.4. The discovery of the flaw was made by Citadelo, a Prague-based ethical hacking firm, commissioned by a Fortune 500 client to perform a security audit of their cloud services.
The vulnerability can be exploited through multiple interfaces, including HTML5 and Flex-based user interfaces, as well as the API Explorer and API access points. Citadelo produced a proof-of-concept to demonstrate the exploitability of the issue. The initial phase of their investigation revealed an anomaly when inputting a specific mathematical expression as a hostname, suggesting a possible Expression Language injection. This entry point allowed the researchers to assess Java classes and execute malicious commands.
Exploiting this vulnerability, Citadelo enumerated several actions within the Cloud Director ecosystem. They gained visibility into the internal database, revealing password hashes for customer accounts. Additionally, they were able to modify the system database, facilitating unauthorized access to virtual machines assigned to different organizations. The researchers achieved privilege escalation from “Organization Administrator” to “System Administrator” by executing a simple SQL query to alter passwords. Furthermore, they were able to edit the Cloud Director’s login page, potentially capturing passwords in plaintext, including for high-level administrative accounts.
Following the timely disclosure of these vulnerabilities to VMware on April 1, the company implemented a series of patches across affected versions, effectively addressing the critical security loopholes. VMware has also issued a workaround to mitigate potential attack vectors related to this vulnerability.
Although cloud infrastructures generally employ robust security measures, such as encryption and network traffic isolation, the existence of vulnerabilities remains a challenge for all software applications, including those from major cloud service providers. Tomas Zatko, CEO of Citadelo, highlights the importance of continuous monitoring for vulnerabilities within cloud applications, emphasizing that secure architecture does not make them impervious to attacks.
In summary, the vulnerability affects a key infrastructure component for numerous organizations, placing sensitive data at risk. Business owners utilizing VMware Cloud Director should immediately assess their system versions and implement the necessary updates to safeguard against potential exploitation. By leveraging the MITRE ATT&CK framework, one can identify tactics such as initial access and privilege escalation that may have been utilized in this incident, reinforcing the need for vigilance within cybersecurity protocols.