If not corrected, this command injection flaw can allow attackers to take control of a virtualized cloud infrastructure.
Public and private cloud administrators who use VMware Cloud Director should immediately apply the patch for a high-risk vulnerability that can be exploited by hackers to take complete control of the virtualized cloud infrastructure, warn security experts. Fixes for the command injection flaw were released last month by VMware, but if not addressed, this vulnerability can be easily exploited via trial accounts for customers. The VMware Cloud Director (formerly vCloud Director) cloud service delivery platform allows cloud providers, governments, or large enterprises to create, deploy, and manage virtual datacenters. It includes a web-based management interface as well as an API through which customers can manage their virtual cloud resources.
The vulnerability affecting VMware Cloud Director was discovered at the start of the year by security consultant Citadelo pen-testers while they were performing a VMware-based cloud infrastructure security audit of a Fortune 500 company. flaw – referenced CVE-2020-3956 – was reported to VMware in early April and VMware released patches and a security advisory in May. VMware, which assigned the flaw a high score of 8.8 in the Common Vulnerabilities Scoring System (CVSS), said it could lead to remote arbitrary code execution. The flaw can be exploited via the HTML5 and Flex user interfaces of Cloud Director, as well as via its API Explorer interface and API access.
Full access without going through the hypervisor
Regarding hypervisors, the vulnerabilities most sought by attackers are those that allow them to escape from virtual machines to host systems. Such flaws affect the fundamental segmentation layer between guest operating systems and the host, which is supposed to provide security guarantees in a virtualized environment. In the targets of the annual hacking contest Pwn2Own, VMware ESXi and VMware Workstation are prominent and it pays up to $ 150,000 to hackers who manage to escape from a virtual machine. Zeroditum, which buys vulnerabilities from hackers, even pays up to $ 200,000 for such a feat.
Even if the CVE-2020-3956 flaw does not affect the hypervisor itself, the final impact is the same. It allows hackers to access the system database where they can replace login credentials for any existing client, or for the user with the most privileges on the system, which gives them access to all virtual machines and the entire cloud environment. In a more stealth attack, hackers could use the access provided by the vulnerability to add a hijacked administrator account. “This type of theft could go unnoticed for a long time if the victim does not have adequate supervision,” said Tomas Zatko, CEO of Citadelo.
Authenticated access to the cloud in the real world
It is because attackers technically need authenticated access to VMware Cloud Director to exploit it that this flaw was not considered critical. However, according to Tomas Zatko, this authentication is not difficult to obtain in practice since most cloud providers offer trial accounts to potential customers, which implies access to the Cloud Director interface. In most cases, these accounts are also not subject to real identity verification, so attackers can easily access them without providing their real identity. This flaw highlights a broader problem, which is that of risk assessment based solely on vulnerability scores: severity scores do not reflect or do not always take into account the real situation of vulnerable systems. Certain configuration or deployment choices can make a vulnerability much easier or more difficult to exploit, which the CVSS opinion or score does not take into account.
Zatko is concerned that, based on the advice, VMware Cloud Director users have not taken the issue too seriously. More than two weeks after the availability of the patches, when testing another Fortune 500 company using the product, Citadelo found that it was still vulnerable. VMware advises users to upgrade to product versions 10.0.0.2, 184.108.40.206, 220.127.116.11 or 18.104.22.168. Version 10.1.0 is not affected. The vendor has also released manual workarounds for deployments that cannot be updated immediately.