Tomas Melicher and Lukas Vaclavik, penetration testers at Citadel discovered a new vulnerability in VMware’s Cloud Directory platform on April 9. They discovered during auditing the cloud infrastructure of a company by using VMware Cloud Director for managing virtual for clients. The vulnerability in the cloud platform could potentially allow attackers to gain access to sensitive information and control entire clouds. The vulnerability is tracked as CVE-2020-3952 and the flaw given a CVSS score of 10 out 10. It is a centralized management platform for virtualized hosts and virtual machines. Such a platform uses single sign-on (SSO) and it includes Security Token Service, an administrator server, vmdir, and the vCenter Lookup Service.
The researchers wanted to get a deep understanding of its risk and to see how attackers could exploit them. After they started investigating the new changes in VMware’s recommended patch, the researchers learned what an unauthenticated attacker could get access to. The investigation led the researchers to give them an idea of how attackers can get to the network access to vmdir and also how it could add an administrator account to the vCenter Directory. To make sure that the researchers protected the VMware cloud, they implemented a proof of concept to demonstrate a remote takeover of the entire vSpeher deployment.
In vmdir’s legacy LDAP handling code, there were two issues caused by the critical flaw.
- A bug in the function VmDir LegacyAccessCheck causing it to return “access granted” when permissions checks fail.
- A security design flaw that grants root privileges to an LDAP session with no token under the assumption that request was internal.
“Hackers could exploit the flaw in VMware Cloud Director via Flex- and HTML5-based user interfaces, the API Explorer interface and API access, VMware noted.” In addition, hackers could get access to sensitive information about the company, customers, employees and also third parties. Below is a list of possible actions when the hackers successfully get into the system.
- View content of the internal system database, including password hashes.
- Modify or delete the system database to steal foreign virtual machines (VM) assigned to different organizations within Cloud Director.
- Escalate privileges from “Organization Administrator” (normally a customer account) to “System Administrator” with access to all cloud accounts (organization) as an attacker can change the hash for this account.
- Read other sensitive data related to customers, like full names, email addresses, or IP addresses.
After the researcher found out about the bug and the consequences of that bug having dangerous actions, the company built a patch on April 30. Update VMware enables users of VMware Cloud Directory to patch their builds in time. Finally, VMware announced a security advisor to its clients on May 19.