A code injection vulnerability (CVE-2020-3956) affecting VMware vCloud Director could be exploited to take over the infrastructure of cloud services, Citadelo researchers have discovered.
About VMware vCloud Director and CVE-2020-3956
VMware Cloud Director (formerly known as vCloud Director) is a cloud service delivery platform used by public and private cloud providers to operate and manage cloud infrastructure.
CVE-2020-3956 was discovered by Citadelo penetration testers during a security audit of a customer’s VMWare Cloud Director-based cloud infrastructure.
“An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access,” VMware explained in a security advisory published on May 19, after the company finished releasing patches for several versions of vCloud Director.
The researchers have provided more details about the vulnerability, explained how it can be exploited, and shared an exploit.
The damage attackers can do after exploiting the flaw is substantial. They can:
- View content of the internal system database, including password hashes of any customers allocated to this infrastructure
- Modify the system database to steal foreign virtual machines (VM) assigned to different organizations within Cloud Director
- Escalate privileges from “Organization Administrator” (normally a customer account) to “System Administrator” with access to all cloud accounts (organization) as an attacker can change the hash for this account
- Modify the login page to Cloud Director, which allows the attacker to capture passwords of another customer in plaintext, including System Administrator accounts
- Read other sensitive data related to customers.
The vulnerability has been patched
The vulnerability was privately reported to VMware, and has been addressed in April and May.
VMware considers the flaw to be “important” and not “critical”, since an attacker must be authenticated in order to exploit CVE-2020-3956. But, as the researchers noted, “cloud providers offering a free trial to potential new customers using VMware Cloud Director are at high risk because an untrusted actor can quickly take advantage.”
Admins are advised to upgrade to vCloud Director versions 10.0.0.2, 220.127.116.11, 18.104.22.168 or 22.214.171.124 to plug the security hole. A workaround is also available for those that can’t upgrade to a recommended version (temporarily or ever).
VMware Cloud Director v10.1.0 and vCloud Director versions 9.0.x and 8.x are not affected by the flaw.