Menu
Cloud infrastructure operators should quickly patch VMware Cloud Director flaw

Cloud infrastructure operators should quickly patch VMware Cloud Director flaw

Left unpatched, this command injection flaw could allow attackers to take control of a virtualised cloud infrastructure

Credit: Dreamstime

Public and private cloud administrators who are using VMware Cloud Director should immediately apply the patch for a high-risk vulnerability that can be used by hackers to take full control of virtualised cloud infrastructure, security experts warn.

VMware released fixes for the command injection flaw last month, but if left unpatched, it can be easily exploited through customer trial accounts.

VMware Cloud Director (previously vCloud Director) is a cloud service delivery platform that allows cloud providers, governments or large enterprises to create, deploy and manage virtual data centres. It provides a web-based management interface as well as an API through which customers can manage their virtual cloud resources.

Penetration testers from security consulting firm Citadelo found the VMware Cloud Director vulnerability during a security audit of the VMware-based cloud infrastructure of a Fortune 500 organisation earlier this year. They reported the flaw -- which is tracked as CVE-2020-3956 -- to VMware in early April and the software vendor released patches and a security advisory in May.

VMware rated the issue 8.8 (high) in the Common Vulnerabilities Scoring System (CVSS) and said that it can lead to arbitrary remote code execution. The flaw can be exploited through the HTML5 and Flex-based user interfaces of Cloud Director, as well as its API Explorer interface and API access.

Full access without exploiting the hypervisor

When it comes to hypervisors, the most sought-after vulnerabilities by attackers are those that allow them to escape from virtual machines into the host systems. Such flaws violate the fundamental segmentation layer between guest operating systems and the host that is supposed to provide security assurances in a virtualised environment.

The annual Pwn2Own hacking contest lists VMware ESXi alongside VMware Workstation among its targets and pays up to $150,000 for a successful virtual machine escape. Exploit acquisition firm Zerodium pays up to $200,000 for such an exploit.

While CVE-2020-3956 is not a vulnerability in the hypervisor itself, it ultimately has the same impact. The flaw gives hackers access to the system's database where they can replace the login credentials for any existing customers, or for the highest privileged user in the system, which in turns gives them access to all virtual machines and the entire cloud environment.

In a stealthier attack, hackers could use the access provided by the vulnerability to add a backdoor administrative account. This could remain undetected for a long period of time if the victim doesn't have proper monitoring in place, Tomas Zatko, Citadelo's CEO, tells CSO.

Authenticated cloud access in the real world

The reason the flaw has not been rated critical is likely because attackers technically need authenticated access to VMware Cloud Director to exploit it. However, according to Citadelo's Zatko, that's not hard to achieve in practice since most cloud providers offer trial accounts to potential customers that involve access to the Cloud Director interface.

In most cases there is no real identity verification either for such accounts, so attackers can gain easy access without providing their real identities.

This highlights a larger issue with assessing risk based only on vulnerability scores: Severity scores don't always reflect or take into account the real-world conditions in which vulnerable systems might typically exist. Certain configuration or deployment choices can make a vulnerability much easier or harder to exploit than the advisory or the CVSS score suggests.

Zatko is concerned that VMware Cloud Director did not take the issue too seriously based on the advisory alone. More than two weeks after the patches had already been out, his company tested another Fortune 500 organization that used the product and it was still vulnerable.

VMware advises users to upgrade to versions 10.0.0.2, 9.7.0.5, 9.5.0.6 or 9.1.0.4 of the product. Version 10.1.0 is not affected. The company has also released manual workarounds that can be applied to deployments that cannot be updated to a new version immediately.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags CloudVMwaresecurity

Events

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments