VMware patches security bug exposing private cloud infrastructure to complete takeover

Ethical hackers discover code injection flaw in VMware Cloud Director

Cyber security researchers discovered a flaw in VMware’s cloud-service delivery platform that could have allowed hackers to seize control of enterprise private clouds.

Ethical Hackers working for cyber security company Citadelo discovered the flaw in VMware Cloud Director, previously vCloud Director, during a security audit of Fortune 500 companies using the platform.

The software is used by enterprise clouds and cloud service providers to operate and manage cloud infrastructure and is used for things like cloud migration, virtual data centre management and data centre expansion.

In addition to leaving private clouds vulnerable to takeover, the researchers warned hackers could have exploited the bug to seize sensitive data and access user credentials.

VMware patched the flaw and disclosed the updates to VMware Cloud Director users once the vulnerability was identified. The company also released a workaround for customers unable to perform updates.

“In general, cloud infrastructure is considered relatively safe because different security layers are being implemented within its core, such as encryption, isolating of network traffic, or customer segmentations,” commented Tomas Zatko, CEO at Citadelo. “However, security vulnerabilities can be found in any type of application, including the Cloud providers themself.”

This particular flaw, codenamed CVE-2020-3956, is classified as a code injection vulnerability and was evaluated by VMware as “important” with a high CVSSV3 score of 8.8.

Any authenticated actor could have sent malicious traffic to VMware Cloud Director using the web-based interface or API calls. In other words, they could execute arbitrary remote code, opening up Cloud Director users to a whole range of attacks.

Citadelo researchers were able to view the content of the internal system database, modify the system database to steal foreign virtual machines (VM) and escalate privileges from “Organisation Administrator” to “System Administrator”.

They were also able to modify the login page to Cloud Director to capture customer passwords and read other sensitive data related to customers, like full names, email addresses or IP addresses.