Left unpatched, this command injection flaw could allow attackers to take control of a virtualized cloud infrastructure. Credit: Pashaignatov / Getty Images Public and private cloud administrators who are using VMware Cloud Director should immediately apply the patch for a high-risk vulnerability that can be used by hackers to take full control of virtualized cloud infrastructure, security experts warn. VMware released fixes for the command injection flaw last month, but if left unpatched, it can be easily exploited through customer trial accounts.VMware Cloud Director (previously vCloud Director) is a cloud service delivery platform that allows cloud providers, governments or large enterprises to create, deploy and manage virtual datacenters. It provides a web-based management interface as well as an API through which customers can manage their virtual cloud resources.Penetration testers from security consulting firm Citadelo found the VMware Cloud Director vulnerability during a security audit of the VMware-based cloud infrastructure of a Fortune 500 organization earlier this year. They reported the flaw — which is tracked as CVE-2020-3956 — to VMware in early April and the software vendor released patches and a security advisory in May. VMware rated the issue 8.8 (high) in the Common Vulnerabilities Scoring System (CVSS) and said that it can lead to arbitrary remote code execution. The flaw can be exploited through the HTML5 and Flex-based user interfaces of Cloud Director, as well as its API Explorer interface and API access. Full access without exploiting the hypervisorWhen it comes to hypervisors, the most sought-after vulnerabilities by attackers are those that allow them to escape from virtual machines into the host systems. Such flaws violate the fundamental segmentation layer between guest operating systems and the host that is supposed to provide security assurances in a virtualized environment.The annual Pwn2Own hacking contest lists VMware ESXi alongside VMware Workstation among its targets and pays up to $150,000 for a successful virtual machine escape. Exploit acquisition firm Zerodium pays up to $200,000 for such an exploit. While CVE-2020-3956 is not a vulnerability in the hypervisor itself, it ultimately has the same impact. The flaw gives hackers access to the system’s database where they can replace the login credentials for any existing customers, or for the highest privileged user in the system, which in turns gives them access to all virtual machines and the entire cloud environment.In a stealthier attack, hackers could use the access provided by the vulnerability to add a backdoor administrative account. This could remain undetected for a long period of time if the victim doesn’t have proper monitoring in place, Tomas Zatko, Citadelo’s CEO, tells CSO.Authenticated cloud access in the real worldThe reason the flaw has not been rated critical is likely because attackers technically need authenticated access to VMware Cloud Director to exploit it. However, according to Citadelo’s Zatko, that’s not hard to achieve in practice since most cloud providers offer trial accounts to potential customers that involve access to the Cloud Director interface. In most cases there is no real identity verification either for such accounts, so attackers can gain easy access without providing their real identities.This highlights a larger issue with assessing risk based only on vulnerability scores: Severity scores don’t always reflect or take into account the real-world conditions in which vulnerable systems might typically exist. Certain configuration or deployment choices can make a vulnerability much easier or harder to exploit than the advisory or the CVSS score suggests.Zatko is concerned that VMware Cloud Director users did not take the issue too seriously based on the advisory alone. More than two weeks after the patches had already been out, his company tested another Fortune 500 organization that used the product and it was still vulnerable.VMware advises users to upgrade to versions 10.0.0.2, 9.7.0.5, 9.5.0.6 or 9.1.0.4 of the product. Version 10.1.0 is not affected. The company has also released manual workarounds that can be applied to deployments that cannot be updated to a new version immediately. Related content news NIST publishes new guides on AI risk for developers and CISOs Companion publications to NIST’s AI Risk Management Framework explore a long worry list in more detail and are likely to become essential reading for security professionals. By John Dunn May 01, 2024 4 mins Regulation Government Security Practices news analysis 5 key takeways from Verizon's 2024 Data Breach Investigations Report The rapid of exploitation of zero-day vulnerabilities, such as MOVEit, and the effectiveness of ransomware attacks are two of the major findings from last year’s breach data. By Rosalyn Page May 01, 2024 5 mins Data Breach Zero-day vulnerability Data and Information Security feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff May 01, 2024 15 mins Technology Industry IT Skills Events feature 3 Windows vulnerabilities that may not be worth patching Some vulnerabilities eat up a security team’s time and resources yet provide little or nothing in the way of true protection. Some may even introduce more risk to a network. By Susan Bradley May 01, 2024 7 mins Windows Security Patch Management Software Security Practices PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe