Public and private cloud administrators who are using VMware Cloud Director should immediately apply the patch for a high-risk vulnerability that can be used by hackers to take full control of virtualized cloud infrastructure, security experts warn. VMware released fixes for the command injection flaw last month, but if left unpatched, it can be easily exploited through customer trial accounts.
VMware Cloud Director (previously vCloud Director) is a cloud service delivery platform that allows cloud providers, governments or large enterprises to create, deploy and manage virtual datacenters. It provides a web-based management interface as well as an API through which customers can manage their virtual cloud resources.
Penetration testers from security consulting firm Citadelo during a security audit of the VMware-based cloud infrastructure of a Fortune 500 organization earlier this year. They reported the flaw -- which is tracked as CVE-彩票信誉平台-3956 -- to VMware in early April and the software vendor released patches and in May.
VMware rated the issue 8.8 (high) in the Common Vulnerabilities Scoring System (CVSS) and said that it can lead to arbitrary remote code execution. The through the HTML5 and Flex-based user interfaces of Cloud Director, as well as its API Explorer interface and API access.
Full access without exploiting the hypervisor
When it comes to hypervisors, the most sought-after vulnerabilities by attackers are those that allow them to escape from virtual 彩票信誉平台 into the host systems. Such flaws violate the fundamental segmentation layer between guest operating systems and the host that is supposed to provide security assurances in a virtualized environment.
The annual Pwn2Own hacking contest lists VMware ESXi alongside VMware Workstation among its targets and pays up to $150,000 for a successful virtual machine escape. Exploit acquisition firm Zerodium pays up to $200,000 for such an exploit.
While CVE-彩票信誉平台-3956 is not a vulnerability in the hypervisor itself, it ultimately has the same impact. The flaw gives hackers access to the system's database where they can replace the login credentials for any existing customers, or for the highest privileged user in the system, which in turns gives them access to all virtual 彩票信誉平台 and the entire cloud environment.
In a stealthier attack, hackers could use the access provided by the vulnerability to add a backdoor administrative account. This could remain undetected for a long period of time if the victim doesn't have proper monitoring in place, Tomas Zatko, Citadelo's CEO, tells CSO.that can be applied to deployments that cannot be updated to a new version immediately.