Cloud infrastructure operators should quickly patch VMware Cloud Director flaw

Public and private cloud administrators who are using VMware Cloud Director should immediately apply the patch for a high-risk vulnerability that can be used by hackers to take full control of virtualized cloud infrastructure, security experts warn. VMware released fixes for the command injection flaw last month, but if left unpatched, it can be easily exploited through customer trial accounts.

VMware Cloud Director (previously vCloud Director) is a cloud service delivery platform that allows cloud providers, governments or large enterprises to create, deploy and manage virtual datacenters. It provides a web-based management interface as well as an API through which customers can manage their virtual cloud resources.

Penetration testers from security consulting firm Citadelo found the VMware Cloud Director vulnerability during a security audit of the VMware-based cloud infrastructure of a Fortune 500 organization earlier this year. They reported the flaw — which is tracked as CVE-2020-3956 — to VMware in early April and the software vendor released patches and a security advisory in May.

VMware rated the issue 8.8 (high) in the Common Vulnerabilities Scoring System (CVSS) and said that it can lead to arbitrary remote code execution. The flaw can be exploited through the HTML5 and Flex-based user interfaces of Cloud Director, as well as its API Explorer interface and API access.

Full access without exploiting the hypervisor

When it comes to hypervisors, the most sought-after vulnerabilities by attackers are those that allow them to escape from virtual machines into the host systems. Such flaws violate the fundamental segmentation layer between guest operating systems and the host that is supposed to provide security assurances in a virtualized environment.

The annual Pwn2Own hacking contest lists VMware ESXi alongside VMware Workstation among its targets and pays up to $150,000 for a successful virtual machine escape. Exploit acquisition firm Zerodium pays up to $200,000 for such an exploit.

While CVE-2020-3956 is not a vulnerability in the hypervisor itself, it ultimately has the same impact. The flaw gives hackers access to the system’s database where they can replace the login credentials for any existing customers, or for the highest privileged user in the system, which in turns gives them access to all virtual machines and the entire cloud environment.

In a stealthier attack, hackers could use the access provided by the vulnerability to add a backdoor administrative account. This could remain undetected for a long period of time if the victim doesn’t have proper monitoring in place, Tomas Zatko, Citadelo’s CEO, tells CSO.

Authenticated cloud access in the real world

The reason the flaw has not been rated critical is likely because attackers technically need authenticated access to VMware Cloud Director to exploit it. However, according to Citadelo’s Zatko, that’s not hard to achieve in practice since most cloud providers offer trial accounts to potential customers that involve access to the Cloud Director interface. In most cases there is no real identity verification either for such accounts, so attackers can gain easy access without providing their real identities.

This highlights a larger issue with assessing risk based only on vulnerability scores: Severity scores don’t always reflect or take into account the real-world conditions in which vulnerable systems might typically exist. Certain configuration or deployment choices can make a vulnerability much easier or harder to exploit than the advisory or the CVSS score suggests.

Zatko is concerned that VMware Cloud Director users did not take the issue too seriously based on the advisory alone. More than two weeks after the patches had already been out, his company tested another Fortune 500 organization that used the product and it was still vulnerable.

VMware advises users to upgrade to versions 10.0.0.2, 9.7.0.5, 9.5.0.6 or 9.1.0.4 of the product. Version 10.1.0 is not affected. The company has also released manual workarounds that can be applied to deployments that cannot be updated to a new version immediately.