Jakub Jirsák - stock.adobe.com

VMware vulnerability leaves private clouds open to takeover

Ethical hackers from Citadelo uncovered a vulnerability in VMware Cloud Director that left private cloud owners open to takeover

VMware has moved to eliminate a significant vulnerability in its Cloud Director – until recently known as vCloud Director – product used by cloud providers that could have allowed cyber criminals to take over enterprise private clouds, exfiltrate sensitive data, and modify logins to capture the credentials of other users.

The bug centres on a mishandling of input in Cloud Director, leading to a code injection vulnerability which gives malicious actors remote code execution capabilities.

It can be exploited through HTML5- and Flex-based UIs, the API Explorer interface and API access, and was discovered by researchers Tomáš Melicher, and Lukáš Václavík of ethical hacking specialists Citadelo during a scheduled penetration testing exercise at a VMware customer.

The relatively simple vulnerability – CVE-2020-3056 – is significant because if successfully exploited at a cloud provider, an attacker could compromise other private clouds held by that firm in a supply chain attack.

“In general, cloud infrastructure is considered relatively safe because different security layers are being implemented within its core, such as encryption, isolating of network traffic, or customer segmentations,” said Citadelo CEO Tomáš Zatko. “However, security vulnerabilities can be found in any type of application, including the Cloud providers themselves.”

Melicher and Václavík said they had been able to perform a number of actions by exploiting the vulnerability.

These included viewing content held in the internal system database, including the password hashes of any customers allocated to the target infrastructure; modifying the system database to steal virtual machines (VMs) assigned to different organisations within Cloud Director; escalating privileges from organisation admin to system admin with access to all accounts; modifying the Cloud Director login page to capture other customer accounts, including system admin accounts; and reading customer data.

Read more about cloud security

  • A multi-cloud environment is not inherently more secure than a single cloud. Learn how to choose between single cloud vs. multi-cloud for your organisation from a security perspective.
  • Security gets complicated when the cloud overlaps with other technologies, such as AI and serverless. Review these common risks, and learn how to prevent attacks.
  • Misconfigured cloud installations risk billions of records being exposed, damaging organisations’ finances and reputations but paying attention to securing AWS storage buckets is a simple matter.

VMware was first informed of the vulnerability on 1 April, and new versions of Cloud Director were available with fixes by the end of April, with others following during May. VMware has also published further information and workarounds on its website for any that cannot apply a patch at this time.

“We would also like to thank VMware for their cooperation during the responsible disclosure process and their effort to fix the vulnerability quickly,” said Citadelo.

It said the disclosure highlighted the criticality of regular security penetration testing to reduce the risk of exposure. More information on the vulnerability can be found here.

Read more on Cloud security