By Maria Korolov

A newly discovered vulnerability in VMware Cloud Director allows attackers who have compromised one account to spread to all the other accounts in a data center.

Previously marketed as vCloud Director (and before that as vCloud Hybrid Service), VMware Cloud Director is a cloud service-delivery platform widely used to deploy and manage virtual data centers and manage virtual cloud resources.

“VMware is aware of the vulnerability,” Stefanie Cannon, a VMware spokesperson, told Data Center Knowledge.

VMware issued a security advisory to its customers in late May, she explained, but declined to comment further. “This is our public statement on the issue,” she said.

The good news is that VMware has released an upgrade to its software that fixes the problem. The company also offered a set of workarounds for cases where the Cloud Director software can’t be upgraded. Furthermore, it’s good news that only a couple of thousand public-facing servers are vulnerable. So says Tomas Zatko, CEO at Slovak Republic-based Citadelo, the company that discovered the vulnerability.

The bad news is that a server running VMware Cloud Director doesn’t have to be exposed to the internet for the hackers to attack it, and there probably will be companies that don’t react fast enough to fix the problem before the attackers find them.

Zatko told Data Center Knowledge that his company reached out to as many companies as they could to tell them about the problem.

“We feel responsible to warn as many people as possible,” he said.

How It Works

Here’s how the attack works. A malicious hacker uses compromised credentials to log into a VMware Cloud Director management console. Then they use code injection to break out of the application to the underlying infrastructure.

Citadelo’s Tomas Zatko

“Then they can do anything,” said Zatko. “They can delete other databases or other virtual machines, copy data, modify data. It’s possible for them to do it in a very loud way, so it’s easy to find them out, or they can do it in a stealthy way. Without a proper security monitoring system and incident response processes, it could be unnoted for a very long time.”

Attackers can also see password hashes for other customers on the system and give themselves system administrator privileges. Then they can change the login page for the Cloud Director in order to capture other login credentials, and gather customer information such as names and email addresses.

VMware calls this an “important” vulnerability, with a CVSSv3 rating of up to 8.8 — 10 being the most critical.

Citadelo discovered the vulnerability in April, Zatko said, and reported it to VMware on April 1. It took the company just a couple of days to confirm that it was a real problem.

“Since it was the first of April, they probably thought we were joking, but we were not,” Zatko said.

Citadelo posted the results of its research on June 1, after VMware released the fix and notified its customers.

According to Zatko, vulnerabilities such as this can bring in hundreds of thousands of dollars on the black market if they are discovered by malicious actors and sold before anyone else knows about them. But he hasn’t seen any evidence that this vulnerability has been used in the wild.

Free Trial Offers Risky

Zatko warned that data centers offering hosting to third parties are particularly vulnerable to …

… this attack, and of those, free trial accounts are particularly dangerous.

“Many providers offer free trial accounts because they want to make things easy for their customers,” he said. “Many times, you don’t even need to provide real information about yourself or your company. You can provide fake information and stay anonymous. Then you create trial accounts and use the vulnerability to gain control over everything.”

In addition to updating software or installing workarounds, he suggests that data centers offering free trial accounts take extra precautions to confirm the identities of people requesting them.

Another step he recommends companies take, to defend against either this particular attack or against other zero days, is to set up honey pots.

“It’s a pretty old security concept, but historically hasn’t been used that much because it was expensive,” he said.

Zatko said setting up a honey pot can be quick and easy, either on your own or using commercial services.

The honey pot contains bait – fake data or systems that would be particularly attractive to bad guys, but only shows up when people are doing reconnaissance scans of the environment – with trip wires. If someone gets into a honey pot, that’s a definite sign that an attacker is in the system.

“This is something that’s very efficient and companies aren’t using enough,” Zatko said.