buchachon - Fotolia
VMware vulnerability enables takeover of cloud infrastructure
A new vulnerability in VMware Cloud Director allowed any user to obtain control of any virtual machine on a public or private cloud, according to ethical hacking firm Citadelo.
A new vulnerability in VMware Cloud Director can allow hackers to gain control of any virtual machine on the platform, according to ethical hacking firm that discovered the vulnerability.
Citadelo, a Prague-based security company, was hired by an unnamed Fortune 500 enterprise to conduct a security audit against their VMware Cloud Director infrastructure and discovered the vulnerability earlier this year. The initial report of the vulnerability was sent to VMware on April 1, and after successfully reproducing the vulnerability on April 3, the vendor released updates on April 30 and May 19. Citadelo's post, which included proof-of-concept code, was published on June 1.
The VMware vulnerability, listed as CVE-2020-3956, is a code injection vulnerability that via a single form submission enables an authenticated user to "gain access to sensitive data and take over control of private clouds within an entire infrastructure." In addition, Citadelo researchers found exploitation of the vulnerability could allow attackers to gain control of customer environments on a cloud service. "It also grants access to an attacker to modify the login section of the entire infrastructure to capture the username and password of another customer," the post said.
Through the vulnerability, Citadelo was able to conduct the following actions, according to its post:
- view content of the internal system database, including password hashes of any customers allocated to this infrastructure;
- modify the system database to steal foreign virtual machines (VMs) assigned to different organizations within Cloud Director;
- escalate privileges from "Organization Administrator" (normally a customer account) to "System Administrator" with access to all cloud accounts (organization) as an attacker can change the hash for this account;
- modify the login page to Cloud Director, which allows the attacker to capture passwords of another customer in plaintext, including System Administrator accounts; and
- read other sensitive data related to customers, like full names, email addresses or IP addresses.
VMware assigned the Cloud Director vulnerability an 8.8 CVSSv3 score, rating it as "important." Citadelo board member Mateo Meier told SearchSecurity his company has performed remote code execution on different production and testing environments through public and private cloud infrastructure.
When asked how many customers have patched the vulnerability so far, Meier said via email, "This would be a question for VMware directly. However, we have a feeling (and feeling is the right word) that not all providers which are using VMware Cloud Director understand the impact of this vulnerability. With this release, we wanted to underline the importance of regular internal and external security testing, detecting similar issues even before the vendor discovers a vulnerability."