VMware Cloud Director, known previously as vCloud Director, is a cloud service-delivery platform used for purposes including virtual data center management, data center expansion and cloud migration, and to host automaton tools. The software is used by cloud service providers and enterprise companies worldwide.
On Monday, penetration testing firm Citadelo published a security advisory detailing the bug, tracked as CVE-2020-3956, which was first discovered in April.
The cybersecurity firm said CVE-2020-3956 was uncovered during a security audit performed for a Fortune 500 enterprise customer and user of VMware Cloud Director.
Issued a severity CVSSV3 score of 8.8 and deemed "important" by VMware, the vulnerability was caused by a failure for input to be handled properly. While exploiting the flaw can lead to code execution and one user to be able to "technically gain control over all customers allocated to this infrastructure," according to Citadelo, the bug's scope has been reduced as attackers must be authenticated to some degree.
"An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution," VMware says. "This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface, and API access."
While analyzing the vulnerability, CItadelo was able to view internal system databases where password hashes were stored -- including customer allocations -- as well as read customer data including email and IP addresses.
The cybersecurity firm added that it may be possible to exploit the bug to partly modify databases to tamper with virtual machines, escalate privileges from organization admins to vCloud administrators, as well as tamper with login setups to steal credentials.
The cloud computing and virtualization software provider was made aware of the bug on April 1. Two days later, VMware triaged and reproduced the vulnerability, leading to the development of a patch on April 30 and disclosure in May, giving users time to patch their builds before the vulnerability's existence was made public.
VMware issued a security advisory to customers on May 19. vCloud Director 10.0.x, 9.7.x, 9.5.x, and 9.1.x on Linux machines and PhotonOS appliances are impacted. Versions 10.0.0.2, 126.96.36.199, 188.8.131.52, and 184.108.40.206 include fixes.