Earlier this week, Citadelo published a vulnerability they found in the VMware Cloud software. Small Cloud providers use VMware Cloud software to support virtual servers and manage the environment through the Director module in the software. Citadelo found a remote execution vulnerability in this management software. Citadelo also noted they could do the following actions using the vulnerability found.
- View content of the internal system database, including password hashes of any customers allocated to this infrastructure.
- Modify the system database to steal foreign virtual machines (VM) assigned to different organizations within Cloud Director.
- Escalate privileges from “Organization Administrator” (normally a customer account) to “System Administrator” with access to all loud accounts (organization) as an attacker can change the hash for this account.
- Modify the login page to Cloud Director, which allows the attacker to capture passwords of another customer in plaintext, including System Administrator accounts.
- Read other sensitive data related to customers, like full names, email addresses or IP addresses.
Citadelo found they could exploit the flaw when sending a specifically crafted request. The message consists of the addition of a SMTP domain name to the server using a HTTP request. This message caused the server to respond with an error. But in this error, the server evaluated parts of the request and performed work on the server side. The Java-based server still has security to prevent malicious Java code from running but the researchers got around this by creating a new instance or “class” outside of the normal security controls in place. Using another Java function to link the code from the original class, the researchers gained full control of the Java environment. Through Java they ran a shell command that tells the server to sleep for five seconds and the server did just that.
Even after fully gaining remote execution on the server you can’t do much in the environment. VMware Cloud encrypts the VM instances, so direct access isn’t possible. They worked around this by updating the SQL database directly to change the administrator’s hashed password to one they know. Now logging in as the administrator, they have full control of all virtual servers. Also, malicious actors use remote execution vulnerabilities to run commands on the server but in this case the hackers do need an account on the VMware Cloud instance to access. If the cloud provider allows free trial accounts, anyone can create an account and exploit the vulnerability.
While the remote execution of a command certainly causes concern for us, the fact that hackers could access another instance of a virtual server and compromise data makes this a high-severity vulnerability. VMware provided an update to its software in April and May so be sure you update to 9.7.0.5, 10.0.0.2, 9.1.0.4, 9.5.0.6 or later. If an update isn’t possible then you can perform a workaround by following the steps here. Interestingly the workaround showed that a simple permissions issue on one file caused the problem.