The vulnerability has been fixed with an upgrade, but unpatched systems risk the deletion of databases and virtual machines, or even having an attacker gain admin privileges.
A newly discovered vulnerability in VMware Cloud Director allows attackers who have compromised one account to spread to all the other accounts in a data center.
Previously marketed as vCloud Director (and before that as vCloud Hybrid Service), VMware Cloud Director is a cloud service-delivery platform widely used to deploy and manage virtual datacenters and manage virtual cloud resources.
“VMware is aware of the vulnerability,” Stefanie Cannon, a VMware spokesperson, told Data Center Knowledge.
VMware issued a security advisory to its customers in late May, she explained, but declined to comment further. “This is our public statement on the issue,” she said.
The good news is that VMware has released an upgrade to its software that fixes the problem, as well as a set of workarounds for cases where the Cloud Director software can’t be upgraded. It’s also good news that only a couple of thousand public-facing servers are vulnerable, according to Tomas Zatko, CEO at Citadelo, the company that discovered the vulnerability.
The bad news is that a server running VMware Cloud Director doesn’t have to be exposed to the internet for the hackers to attack it, and there will probably be companies that don’t react fast enough to fix the problem before the attackers find them.
Zatko told Data Center Knowledge that his company reached out to as many companies as they could to tell them about the problem. “We feel responsible to warn as many people as possible,” he said.
The way the attack works is that an attacker uses compromised credentials to log into a VMware Cloud Director management console, and uses code injection to break out of the application to the underlying infrastructure.
“Then they can do anything,” said Zatko. “They can delete other databases or other virtual machines, copy data, modify data. It’s possible for them to do it in a very loud way, so it’s easy to find them out, or they can do it in a stealthy way. Without a proper security monitoring system and incident response processes, it could be unnoted for a very long time.”
Attackers can also see password hashes for other customers on the system, give themselves system administrator privileges, change the login page for the Cloud Director in order to capture other login credentials, and gather customer information such as names and email addresses.
VMware calls this an “important” vulnerability, with a CVSSv3 rating of up to 8.8 — 10 being the most critical.
Citadelo discovered the vulnerability in April, Zatko said, and reported it to VMware on April 1. It took VMware just a couple of days to confirm that it was a real problem. “Since it was the first of April, they probably thought we were joking, but we were not.”
Citadelo posted the results of their research on June 1, after VMware released the fix and notified its customers.
According to Zatko, vulnerabilities such as this can bring in hundreds of thousands of dollars on the black market if they are discovered by malicious actors and sold before anyone else knows about them, but he hasn’t seen any evidence that this vulnerability has been used in the wild.
Zatko warned that data centers that offer hosting to third parties are particularly vulnerable to this attack, and of those, free trial accounts are particularly dangerous.
“Many providers offer free trial accounts because they want to make things easy for their customers,” he said. “Many times, you don’t even need to provide real information about yourself or your company. You can provide fake information and stay anonymous. Then you create trial accounts and use the vulnerability to gain control over everything.”
In addition to updating software or installing workarounds, he suggests that data centers offering free trial accounts take extra precautions to confirm the identities of people requesting them.
Another step he recommends companies take, to defend against either this particular attack or against other zero-days, is to set up honey pots.
“It’s a pretty old security concept, but historically hasn’t been used that much because it was expensive,” he said, adding that these days setting up a honey pot can be quick and easy, either on your own or using commercial services.
The honey pot contains bait — fake data or systems that would be particularly attractive to bad guys but only shows up when people are doing reconnaissance scans of the environment — with trip wires. If someone gets into a honey pot, that’s a definite sign that an attacker is in the system.
“This is something that’s very efficient and companies aren’t using enough,” Zatko said.