A new critical vulnerability in VMware’s Cloud Director platform was discovered by researchers at hacking firm Citadelo, that could be misused to take over corporate servers.
VMware Cloud Director is a cloud service-delivery platform that allows organizations to operate and manage successful cloud-service businesses. By using VMware Cloud Director, the cloud providers can provide secure, efficient and elastic cloud resources to thousands of enterprises and IT teams across the world.
The flaw which has been dubbed as CVE-2020-3956 could allow an authenticated attacker to gain access to corporate network, access sensitive data and control private clouds within an entire infrastructure.
According to an advisory by VMware, a code injection vulnerability in VMware Cloud Director was privately reported to them and that the patches and workarounds to remediate or workaround this vulnerability in affected VMware products are available.
The CVE-2020-3956 flaw is a code injection issue that is caused by the improper input handling that could be triggered by an attacker by sending malicious traffic to Cloud Director, leading to the execution of arbitrary code. The flaw received a score of 8.8 out of 10 on the CVSS v.3 vulnerability severity scale.
It is possible to exploit the flaw through the HTML5- and Flex-based UIs, the API Explorer interface, and API access.
The vulnerability affects VMware Cloud Director versions 10.0.x before 10.0.0.2, 9.7.0.x before 18.104.22.168, 9.5.0.x before 22.214.171.124, and 9.1.0.x before 126.96.36.199.
The researchers at Prague-based firm Citadelo spotted the issue while conducting a security audit of the cloud infrastructure of an unnamed Fortune 500 enterprise customer.
They have posted a blog explaining that a simple form submission can be manipulated to gain control of any Virtual Machine (VM) within VMware Cloud Director.
They also published a proof-of-concept to demonstrate the exploit’s severity.
The researchers performed the following actions triggering the vulnerability:
- View content of the internal system database, including password hashes of any customers allocated to this infrastructure.
- Modify the system database to steal foreign virtual machines (VM) assigned to different organizations within Cloud Director.
- Escalate privileges from “Organization Administrator” to “System Administrator” with access to all cloud accounts.
- Modify the login page to Cloud Director, which allows the attacker to capture passwords of another customer in plaintext, including System Administrator accounts.
- Read other sensitive data related to customers, like full names, email addresses or IP addresses.
Citadelo reported the flaw to VMware on April 1, to which the company addressed the issues with the release of versions 188.8.131.52, 184.108.40.206, 220.127.116.11, and 10.0.0.2.
VMware has also released a workaround to mitigate the risk of exploitation for the flaw.