Security researchers have published technical details of a new vulnerability that affects VMware's Cloud Director platform that could allow an attacker to gain access to sensitive data and take over control of private clouds within an entire infrastructure.
VMware's Cloud Director is a cloud service-delivery platform used by popular cloud providers to operate and manage cloud infrastructure.
The vulnerability, which has received a CVE ID CVE-2020-3956, is classified as a code injection vulnerability. It exists due to an improper input handling that could be abused by an authenticated attacker to send malicious traffic to Cloud Director, leading to the execution of arbitrary code.
According the researchers from Citadelo, the flaw can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface, and API access. Successful exploitation could allow an attacker to view content of the internal system database, modify the system database to steal foreign virtual machines (VM) assigned to different organizations within Cloud Director, escalate privileges to vCloud administrators, as well as tamper with login setups to steal credentials.
The vulnerability affects VMware Cloud Director versions 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4. After receiving a report from researchers VMware released new versions of the product to address the vulnerability.