Cybersecurity researchers today disclosed details for a new vulnerability in VMware’s Cloud Director platform that could potentially allow an attacker to gain access to sensitive information and control private clouds within an entire infrastructure.
Tracked as CVE-2020-3956, the code injection flaw stems from an improper input handling that could be abused by an authenticated attacker to send malicious traffic to Cloud Director, leading to the execution of arbitrary code.
It’s rated 8.8 out of 10 on the CVSS v.3 vulnerability severity scale, making it a critical vulnerability.
VMware Cloud Director is a popular deployment, automation, and management software that’s used to operate and manage cloud resources, allowing businesses to data centers distributed across different geographical locations into virtual data centers.
According to the company, the vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface, and API access.
The vulnerability impacts VMware Cloud Director versions 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4.
The vulnerability was identified by a Prague-based ethical hacking firm Citadelo after it was hired earlier this year by an unnamed Fortune 500 enterprise customer to carry out a security audit of its cloud infrastructure.
It has also published a proof-of-concept to demonstrate the exploit’s severity.
“Everything started with just a simple anomaly. When we entered ${7*7} as a hostname for the SMTP server in vCloud Director, we received the following error message: String value has an invalid format, value: [49],” Citadelo noted in its report. “It indicated some form of Expression Language injection, as we were able to evaluate simple arithmetic functions on the server-side.”
Using this as an entry point, the researchers said they were able to access arbitrary Java classes (e.g. “java.io.BufferedReader“) and instantiate them by passing malicious payloads.
Citadelo said it was able to perform the following the set of actions by exploiting the flaw:
- View content of the internal system database, including password hashes of any customers allocated to this infrastructure.
- Modify the system database to access foreign virtual machines (VM) assigned to different organizations within Cloud Director.
- Escalate privileges from “Organization Administrator” to “System Administrator” with access to all cloud accounts by merely changing the password via an SQL query.
- Modify the Cloud Director’s login page, allowing the attacker to capture passwords of another customer in plaintext, including System Administrator accounts.
- Read other sensitive data related to customers, like full names, email addresses, or IP addresses.
After Citadelo privately disclosed the findings to VMware on April 1, the company patched the flaws in a series of updates spanning versions 9.1.0.4, 9.5.0.6, 9.7.0.5, and 10.0.0.2.
VMware has also released a workaround to mitigate the risk of attacks exploiting the issue.
“In general, cloud infrastructure is considered relatively safe because different security layers are being implemented within its core, such as encryption, isolating of network traffic, or customer segmentations. However, security vulnerabilities can be found in any type of application, including the Cloud providers themselves,” Tomas Zatko, CEO of Citadelo, said.