On May 19,2020 VMware released an advisory to address Remote Code Execution vulnerability in VMware Cloud Director. CVE-2020-3956 has assigned to track this vulnerability.
vCloud Director
VMware Cloud Director (formerly known as vCloud Director) is a popular deployment, automation, and management software that’s used to operate and manage cloud resources, allowing businesses to data centers distributed across different geographical locations into virtual data centers
CVE-2020-3956
“An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access,”
AFFECTED VERSIONS
VMware Cloud Director 10.0.x before 10.0.0.2
VMware Cloud Director 9.7.x before 9.7.0.5
VMware Cloud Director 9.5.x before 9.5.0.6
VMware Cloud Director 9.1.x before 9.1.0.4
Brief Analysis
Security researchers revealed an EL (Expression Language) based Injection vulnerability that enabled an authenticated actor to send a malicious payload (via API calls or intercepted Web request) that led to
- privilege escalation — “Organization Administrator” (tenant account) to “System Administrator” (hypervisor)
- cross tenancy lateral movement
- sensitive infrastructure information disclosure
- password and credentials to further privilege escalation
Expression Language (EL) Injection
“Expression Language” (EL) was developed as part of JSTL (Java Server Pages Standard Tag Library) in order to provide the convenience of exporting Object Models (Abstract Types) into JSP (Java Server Pages) view interfaces. After gaining adoption in JSP pages, it’s utility amplified into non-view interfaces as well.
This was a feature provided by framework authors to enable the paradigm of code that generates code.
Using this as an entry point, we will able to access arbitrary Java classes (e.g. “java.io.BufferedReader“) and instantiate them by passing malicious payloads.
Scope of Exposure
- Public cloud providers using VMware vCloud Director.
- Private cloud providers using VMware vCloud Director
- Enterprises using VMware vCloud Director technology
- Any government identity using VMware Cloud Director
Exploitation
Citadelo made the Technical details available for educational purposes only. They have also published a PoC to demonstrate the vulnerability. An attacker must be authenticated in order to exploit CVE-2020-3956, so it will need Username and Password of vCloud Director.
Resolution
To remediate CVE-2020-3956 apply the patches recommended by the vendor in VMSA-2020-0010.
VMware Cloud Director 10.0.0.2
VMware Cloud Director 9.7.0.5
VMware Cloud Director 9.5.0.6
VMware Cloud Director 9.1.0.4
Workaround
VMware has also released a workaround to mitigate the risk of attacks exploiting the issue.Those that can’t upgrade to a recommended Patched versions, please make sure you have applied the workaround.
References:
https://www.vmware.com/security/advisories/VMSA-2020-0010.html
https://www.vmware.com/uk/products/cloud-director.html
https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/
https://thehackernews.com/2020/06/vmware-cloud-director-exploit.html
https://github.com/aaronsvk/CVE-2020-3956/blob/master/exploit.py