VMware Cloud Director exploit lets hackers seize corporate servers


Keumars Afifi-Sabet

2 Jun, 2020

A vulnerability in VMware’s Cloud Director platform, used by a host of cloud providers to manage cloud infrastructure, could allow attackers to gain access to sensitive data and seize control of infrastructure.

Rated CVSSV3 8.8, and assigned CVE-2020-3956, the code-injection vulnerability in the cloud service-delivery platform could allow an attacker to gain access to sensitive data and take over the control of private clouds within an enterprise.

Hackers could also exploit the vulnerability to gain control over all customers within the cloud. It also grants access to modify the login section of the entire infrastructure to capture the username and password of another customer, according to Citadelo, an ethical hacking company which discovered the vulnerability.

“In general, cloud infrastructure is considered relatively safe because different security layers are being implemented within its core, such as encryption, isolating of network traffic, or customer segmentations,” said Citadelo CEO Tomas Zatko.

“However, security vulnerabilities can be found in any type of application, including the Cloud providers themself.”

Citadelo was hired this year by a fortune 500 enterprise customer to perform a security audit and investigate their VMware Cloud Director-based cloud infrastructure. 

Using the code injection flaw, researchers with the company were able to view the content of the internal system database, including password hashes of any customers allocated to the information system.

From there, they were able to modify the system database to steal foreign virtual machines (VMs) assigned to different organisations within Cloud Director. The flaw also allowed them to escalate privileges from that of a customer account to a system administrator, with access to all cloud accounts.

Finally, they could read all sensitive data related to customers, like full names, email addresses or IP addresses.

The vulnerability was initially reported to VMware on 1 April, with patches released following towards the end of the month, and during May. Organisations that haven’t yet applied the fixes are still vulnerable.

Those affected include public cloud providers using VMware vCloud Director, private cloud providers using VMware vCloud Director, enterprises using VMware vCloud Director technology, and any government identities using VMware Cloud Director.