Pierluigi Paganini
June 02, 2020
Security researchers from hacking firm Citadelo disclosed details for a new critical vulnerability in VMware’s Cloud Director platform, tracked as CVE-2020-3956, that could be abused to takeover corporate servers.
VMware Cloud Director is a cloud service-delivery platform that allows organizations to operate and manage successful cloud-service businesses. Using VMware Cloud Director, cloud providers deliver secure, efficient, and elastic cloud resources to thousands of enterprises and IT teams across the world.
The vulnerability could potentially allow an authenticated attacker to gain access to corporate network, access to sensitive data, and control private clouds within an entire infrastructure.
“A code injection vulnerability in VMware Cloud Director was privately reported to VMware. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products.” reads the advisory published by VMware. “VMware Cloud Director does not properly handle input leading to a code injection vulnerability.”
The CVE-2020-3956 flaw is a code injection issue that is caused by the improper input handling that could be triggered by an attacker by sending malicious traffic to Cloud Director, leading to the execution of arbitrary code. The flaw received a score of 8.8 out of 10 on the CVSS v.3 vulnerability severity scale.
The flaw can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface, and API access.
“An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.” continues the advisory.
The vulnerability affects VMware Cloud Director versions 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4.
Experts from Citadelo discovered the issue while conducting a security audit of the cloud infrastructure.of an unnamed Fortune 500 enterprise customer.
In a blog post the researchers explained that a single simple form submission can be manipulated to gain control of any Virtual Machine (VM) within VMware Cloud Director.
“Everything started with just a simple anomaly. When we entered ${7*7} as a hostname for the SMTP server in vCloud Director, we received the following error message: String value has an invalid format, value: [49],” “It indicated some form of Expression Language injection, as we were able to evaluate simple arithmetic functions on the server-side.”
Experts exploited the issue to access arbitrary Java classes (e.g. “java.io.BufferedReader“) and instantiate them by passing malicious payloads.
Citadelo experts were able to perform the following actions triggering the vulnerability:
Citadelo privately reported the flaw to VMware on April 1, and the company addressed the issues with the release of versions 9.1.0.4, 9.5.0.6, 9.7.0.5, and 10.0.0.2.
The experts also published a proof-of-concept code for the vulnerability.
VMware has also released a workaround to mitigate the risk of exploitation for the flaw.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – VMware Cloud Director, cybersecurity)
[adrotate banner=”5″]
[adrotate banner=”13″]
