High
CVE-2020-3956: VMware Cloud Director Code Injection Vulnerability
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-3956: VMware Cloud Director Code Injection Vulnerability
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityLow
Technical Analysis
The software requires purchase to download, and a VMware login is required to access the download page. The “Open Source Disclosure Package” contains only open-source JARs – no patch to analyze.
VMware provides a workaround here in the form of a shell script, reproduced below.
#!/bin/bash # Copyright 2020 VMware, Inc. All rights reserved. # This script patches vCloud Director cell to protect against CVE-2020-3956 # 1. download 'WA_CVE-2020-3956.sh' in all vCD Servers repeat steps from 2-4 in all servers # 2. chmod 740 WA_CVE-2020-3956.sh # 3. Run ./WA_CVE-2020-3956.sh readonly VCD_HOME="/opt/vmware/vcloud-director" readonly BVAL_ROOT_DIR="$VCD_HOME/system/org/apache/bval/org.apache.bval.bundle" readonly VMW_BVAL_DIR="$BVAL_ROOT_DIR/1.1.1.vmw" readonly BVAL_DIR="$BVAL_ROOT_DIR/1.1.1" readonly ELF_CLASS="org/apache/bval/el/ELFacade*.class" readonly ZIP_CMD="/usr/bin/zip" WIDTH=80 function is_zip_pkg_not_found() { [ ! -f "$ZIP_CMD" ] } function is_bval_found() { [ -f "$BVAL_DIR/org.apache.bval.bundle-1.1.1.jar" ] } function is_bval_vmw_found() { [ -f "$VMW_BVAL_DIR/org.apache.bval.bundle-1.1.1.vmw.jar" ] } function start_vcd () { /etc/init.d/vmware-vcd restart if [ $? -ne 0 ]; then fmt -w$WIDTH <<EOF Start up failed; you should review the logs in ${VCD_HOME}/logs for details. EOF fi } function service_start() { chown vcloud:vcloud "$BVAL_DIR"/org.apache.bval.bundle-1.1.1.jar chown root:vcloud "$VCD_HOME"/bin/vmware-vcd-cell-common chmod 0640 "$VCD_HOME"/bin/vmware-vcd-cell-common echo "--------------------------------------------------------------" echo "This cell has been patched. Restarting service... " echo "--------------------------------------------------------------" start_vcd } function security_fix() { if is_bval_found; then class_count=$($ZIP_CMD -sf $BVAL_DIR/org.apache.bval.bundle-1.1.1.jar | grep $ELF_CLASS | wc -l) if [ "$class_count" != 0 ]; then $ZIP_CMD -dq $BVAL_DIR/org.apache.bval.bundle-1.1.1.jar $ELF_CLASS service_start else echo "This cell is protected against CVE-2020-3956" echo "--------------------------------------------------------------" fi fi } echo "Assessing your cell ....." echo "--------------------------------------------------------------" if [ -d "$VCD_HOME" ]; then echo "vCloud Director cell path found and scanning your system, " if is_bval_vmw_found; then echo "--------------------------------------------------------------" echo "This cell is protected against CVE-2020-3956" echo "--------------------------------------------------------------" exit 0 elif is_zip_pkg_not_found; then echo "---------------------------------------------------------------" echo "zip package not found, it must be installed to run this script." echo "---------------------------------------------------------------" exit 0 fi security_fix else echo "--------------------------------------------------------------" echo "vCloud Director cell path not found. " echo "--------------------------------------------------------------" exit 0 fi
The workaround removes any org/apache/bval/el/ELFacade*.class
files from /opt/vmware/vcloud-director/system/org/apache/bval/org.apache.bval.bundle/1.1.1/org.apache.bval.bundle-1.1.1.jar
. ELFacade deals with Java EL expressions, which suggests an EL injection vulnerability.
Note that this vulnerability is post-auth! This somewhat limits the exposure of the vuln, but no one said getting creds was difficult. Patch!
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Products
- VMware Cloud Director
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Here can be found technical analysis: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/
And here is working exploit: https://github.com/aaronsvk/CVE-2020-3956
(I am an author)
Enjoy! :)
@aaronsvk This is great! You’re the person who discovered the vuln, too, yes? Really nice work.
Yes, I am. Thank you @ccondon-r7
Fantastic work, @aaronsvk. Thank you!