A vulnerability in VMware’s Cloud Director platform, used by a host of cloud providers to manage cloud infrastructure, could allow attackers to gain access to sensitive data and seize control of infrastructure.
Rated CVSSV3 8.8, and assigned CVE-2020-3956, the code-injection vulnerability in the cloud service-delivery platform could allow an attacker to gain access to sensitive data and take over the control of private clouds within an enterprise.
Hackers could also exploit the vulnerability to gain control over all customers within the cloud. It also grants access to modify the login section of the entire infrastructure to capture the username and password of another customer, according to Citadelo, an ethical hacking company which discovered the vulnerability.
“In general, cloud infrastructure is considered relatively safe because different security layers are being implemented within its core, such as encryption, isolating of network traffic, or customer segmentations,” said Citadelo CEO Tomas Zatko.
“However, security vulnerabilities can be found in any type of application, including the Cloud providers themself.”
Citadelo was hired this year by a fortune 500 enterprise customer to perform a security audit and investigate their VMware Cloud Director-based cloud infrastructure.
Using the code injection flaw, researchers with the company were able to view the content of the internal system database, including password hashes of any customers allocated to the information system.
From there, they were able to modify the system database to steal foreign virtual machines (VMs) assigned to different organisations within Cloud Director. The flaw also allowed them to escalate privileges from that of a customer account to a system administrator, with access to all cloud accounts.
Finally, they could read all sensitive data related to customers, like full names, email addresses or IP addresses.
The vulnerability was initially reported to VMware on 1 April, with patches released following towards the end of the month, and during May. Organisations that haven't yet applied the fixes are still vulnerable.
Those affected include public cloud providers using VMware vCloud Director, private cloud providers using VMware vCloud Director, enterprises using VMware vCloud Director technology, and any government identities using VMware Cloud Director.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Threat actors are exploiting a VMware ESXi bug which could be “catastrophic” for affected firmsNews The VMware ESXi hypervisor has become a favorite target in the digital extortion community, according to researchers
-
Everything you need to know about the VMware vCenter Server vulnerabilityNews A critical flaw in the VMware vCenter Server management software has been exploited in the wild by a Chinese hacking group since late 2021
-
VMware Aria: CISA warns customers to immediately patch productsNews The disclosure marks the third critical vulnerability in as many months for VMware
-
VMware’s ESXi security issues spur new ransomware gang into actionNews The popularity of ESXi combined with a lack of security tools makes it an “attractive target” for threat actors
-
Google pays largest-ever bug bounty worth £500,000News The company remained tight-lipped over the exploit itself, but speculation is possible given its publicly available rewards breakdown
-
Warning issued over ransomware attacks targeting VMware ESXi servers globallyNews Businesses have been urged to patch the two-year-old vulnerability amidst heightened ransomware threats
-
OpenSSL 3.0 vulnerability: Patch released for security scareNews The severity has been downgraded from 'critical' to 'high' and comparisons to Heartbleed have been quashed
