• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

VMware Cloud Server Takeover Vulnerability

June 5, 2020 By Trevor Collins

 

Earlier this week, Citadelo published a vulnerability they found in the VMware Cloud software. Small Cloud providers use VMware Cloud software to support virtual servers and manage the environment through the Director module in the software. Citadelo found a remote execution vulnerability in this management software. Citadelo also noted they could do the following actions using the vulnerability found.

  • View content of the internal system database, including password hashes of any customers allocated to this infrastructure.
  • Modify the system database to steal foreign virtual machines (VM) assigned to different organizations within Cloud Director.
  • Escalate privileges from “Organization Administrator” (normally a customer account) to “System Administrator” with access to all loud accounts (organization) as an attacker can change the hash for this account.
  • Modify the login page to Cloud Director, which allows the attacker to capture passwords of another customer in plaintext, including System Administrator accounts.
  • Read other sensitive data related to customers, like full names, email addresses or IP addresses.

Citadelo found they could exploit the flaw when sending a specifically crafted request. The message consists of the addition of a SMTP domain name to the server using a HTTP request. This message caused the server to respond with an error. But in this error, the server evaluated parts of the request and performed work on the server side. The Java-based server still has security to prevent malicious Java code from running but the researchers got around this by creating a new instance or “class” outside of the normal security controls in place. Using another Java function to link the code from the original class, the researchers gained full control of the Java environment. Through Java they ran a shell command that tells the server to sleep for five seconds and the server did just that.

Even after fully gaining remote execution on the server you can’t do much in the environment. VMware Cloud encrypts the VM instances, so direct access isn’t possible. They worked around this by updating the SQL database directly to change the administrator’s hashed password to one they know. Now logging in as the administrator, they have full control of all virtual servers. Also, malicious actors use remote execution vulnerabilities to run commands on the server but in this case the hackers do need an account on the VMware Cloud instance to access. If the cloud provider allows free trial accounts, anyone can create an account and exploit the vulnerability.

While the remote execution of a command certainly causes concern for us, the fact that hackers could access another instance of a virtual server and compromise data makes this a high-severity vulnerability. VMware provided an update to its software in April and May so be sure you update to 9.7.0.5, 10.0.0.2, 9.1.0.4, 9.5.0.6 or later. If an update isn’t possible then you can perform a workaround by following the steps here. Interestingly the workaround showed that a simple permissions issue on one file caused the problem.

Share This:

Related

Filed Under: Editorial Articles, Uncategorized Tagged With: VM vulnerability

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use