VMware has patched a serious flaw in its cloud service-delivery platform, VMware Cloud Director, after cybersecurity firm Citadelo issued a security advisory warning of possible threats.
Citadelo said that it uncovered the bug on April 1 while conducting a security audit for a Fortune 500 enterprise client that was using VMware Cloud Director. The software has been adopted by enterprises and cloud service vendors worldwide.
The penetration testing firm attributed the bug in VMware Cloud Director, which facilitates hosting of automation tools, cloud migration, virtual data centre management and data centre expansion, to the platform’s inability to handle input properly.
Hackers can capitalise on the vulnerability—tracked as CVE-2020-3956—to carry out perform code execution attacks and “technically” assume control over all private clouds linked to the given infrastructure, Citadelo warned.
The bug impacts VMware Cloud Director versions 10.1.0 and below, as well as vCloud Director 8x – 10x on Linux setups and PhotonOS appliances.
Citadelo added that potential consequences of cyber miscreants exploiting the bug could span credential theft via altering of log-in mechanisms, escalation of privileges from organisation administrators to vCloud admins, and tampering of virtual machines through database modification.
As part of its exhaustive analysis of the vulnerability, the cybersecurity firm said that it could read email, IP addresses and other confidential client data, besides gaining access to internal system databases containing password hashes—including customer allocations.
Responding to the advisory, VMware described the bug, which received a severity CVSSV3 score of 8.8, as “important”, and provisioned patches as well as a workaround that is cited in its Knowledge Base.
The cloud computing and virtualisation software provider acknowledged that authenticated actors could possibly route “malicious traffic” its cloud service-delivery platform, known as vCloud Director earlier, thereby triggering execution of arbitrary remote code.
Hackers could exploit the flaw in VMware Cloud Director via Flex- and HTML5-based user interfaces, the API Explorer interface and API access, VMware noted.
After the bug came to light, the company triaged and reproduced it on April 3, resulting in the build of a patch on April 30. Subsequently, VMware made a disclosure regarding the same in May, to enable users of VMware Cloud Director to patch their builds in time. Finally, VMware unveiled a security advisory to its clients on May 19.