Cybersecurity Threat Advisory 0038-20: VMware Cloud Director Flaws (CVE 2020-3956)
VMware Cloud Director is potentially vulnerable to a remote code injection attack that would allow an attacker to view/modify databases and escalate privileges from organizational admin to system admin. SKOUT advises updating VMware Cloud Director to version 10.1.0 or higher.
Technical detail and additional information
What is the threat?
A code injection vulnerability exists in VMware Cloud Director that can allow an attacker to execute code remotely if exploited. Specifically, an attacker can find a cloud provider that will provide a free trial of the cloud platform, then during the product’s free trial the attacker can use the HTML and Flex user interface or API calls they can take control of the entire managed environment they are a part of. In one proof of concept, this exploit was shown to allow testers to change the administrator’s password for the cloud infrastructure. This allowed them to take control of the entire environment and gain access to every cloud environment that the cloud provider manages.
Why is this noteworthy?
The most noteworthy aspect of this vulnerability is that all it requires on the attackers’ side is locating a cloud provider using the software that is willing to provide a trial of the platform. This however is not difficult according to researchers, and in their testing, they were in contact with a number of cloud providers more than willing to offer a free trial. From here an attacker can log in, modify an expression that gets sent to the server, and force the server via that expression to change the administrator password. This privilege escalation allows any attacker with the given trial to usurp the entire cloud environment from the provider. It is important to note that with this approach the password is never actually stolen and cracked, but instead simply changed by the code injection to the database. The fact that the takeover can be done with a trial account can also result in difficulty for the provider even determining who the attacker is.
What is the exposure or risk?
The potential for damage if a malicious actor had access to even a single cloud infrastructure managed by this platform is high, and with this exploit they would have access to every cloud infrastructure that the provider manages. The attacker could escalate their privileges from an “Organization Administrator” (a customer account) to “System Administrator” with access to all cloud accounts, and then change the hash for this account to prevent legitimate access. From here there is significant damage that can be done. This includes but is not limited to stealing password hashes for customers in the platform from the internal system database, reading sensitive customer information such as names/emails/Ips, modifying the Cloud Director login page to capture passwords from customers in plaintext, and more. The attacker has full administrative control over all systems in the environment, so any host for any customer is at risk of having any number of malicious changes made to it. For example, this level of access could make it trivial to deploy ransomware across one (or more) entire environments.
What are the recommendations?
As this vulnerability was privately reported to VMware, it has been addressed and VMware has provided patches to remediate if possible and a workaround if patching is not possible. Both are detailed in the link on VMware’s website below:
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.