High
CVE-2020-3956: VMware Cloud Director Code Injection Vulnerability
Add Reference
Description
URL
Type
CVE-2020-3956: VMware Cloud Director Code Injection Vulnerability
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityLow
Technical Analysis
The software requires purchase to download, and a VMware login is required to access the download page. The “Open Source Disclosure Package” contains only open-source JARs – no patch to analyze.
VMware provides a workaround here in the form of a shell script, reproduced below.
#!/bin/bash # Copyright 2020 VMware, Inc. All rights reserved. # This script patches vCloud Director cell to protect against CVE-2020-3956 # 1. download 'WA_CVE-2020-3956.sh' in all vCD Servers repeat steps from 2-4 in all servers # 2. chmod 740 WA_CVE-2020-3956.sh # 3. Run ./WA_CVE-2020-3956.sh readonly VCD_HOME="/opt/vmware/vcloud-director" readonly BVAL_ROOT_DIR="$VCD_HOME/system/org/apache/bval/org.apache.bval.bundle" readonly VMW_BVAL_DIR="$BVAL_ROOT_DIR/1.1.1.vmw" readonly BVAL_DIR="$BVAL_ROOT_DIR/1.1.1" readonly ELF_CLASS="org/apache/bval/el/ELFacade*.class" readonly ZIP_CMD="/usr/bin/zip" WIDTH=80 function is_zip_pkg_not_found() { [ ! -f "$ZIP_CMD" ] } function is_bval_found() { [ -f "$BVAL_DIR/org.apache.bval.bundle-1.1.1.jar" ] } function is_bval_vmw_found() { [ -f "$VMW_BVAL_DIR/org.apache.bval.bundle-1.1.1.vmw.jar" ] } function start_vcd () { /etc/init.d/vmware-vcd restart if [ $? -ne 0 ]; then fmt -w$WIDTH <<EOF Start up failed; you should review the logs in ${VCD_HOME}/logs for details. EOF fi } function service_start() { chown vcloud:vcloud "$BVAL_DIR"/org.apache.bval.bundle-1.1.1.jar chown root:vcloud "$VCD_HOME"/bin/vmware-vcd-cell-common chmod 0640 "$VCD_HOME"/bin/vmware-vcd-cell-common echo "--------------------------------------------------------------" echo "This cell has been patched. Restarting service... " echo "--------------------------------------------------------------" start_vcd } function security_fix() { if is_bval_found; then class_count=$($ZIP_CMD -sf $BVAL_DIR/org.apache.bval.bundle-1.1.1.jar | grep $ELF_CLASS | wc -l) if [ "$class_count" != 0 ]; then $ZIP_CMD -dq $BVAL_DIR/org.apache.bval.bundle-1.1.1.jar $ELF_CLASS service_start else echo "This cell is protected against CVE-2020-3956" echo "--------------------------------------------------------------" fi fi } echo "Assessing your cell ....." echo "--------------------------------------------------------------" if [ -d "$VCD_HOME" ]; then echo "vCloud Director cell path found and scanning your system, " if is_bval_vmw_found; then echo "--------------------------------------------------------------" echo "This cell is protected against CVE-2020-3956" echo "--------------------------------------------------------------" exit 0 elif is_zip_pkg_not_found; then echo "---------------------------------------------------------------" echo "zip package not found, it must be installed to run this script." echo "---------------------------------------------------------------" exit 0 fi security_fix else echo "--------------------------------------------------------------" echo "vCloud Director cell path not found. " echo "--------------------------------------------------------------" exit 0 fi
The workaround removes any org/apache/bval/el/ELFacade*.class
files from /opt/vmware/vcloud-director/system/org/apache/bval/org.apache.bval.bundle/1.1.1/org.apache.bval.bundle-1.1.1.jar
. ELFacade deals with Java EL expressions, which suggests an EL injection vulnerability.
Note that this vulnerability is post-auth! This somewhat limits the exposure of the vuln, but no one said getting creds was difficult. Patch!
CVSS V3 Severity and Metrics
General Information
Products
- VMware Cloud Director
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
What do we mean by "exploited in the wild"?
By selecting this, you are verifying to the AttackerKB community that either you, or a reputable source (example: a security vendor or researcher), has observed an active attempt by attackers, or IOCs related, to exploit this vulnerability outside of a research environment.
A vulnerability should also be considered "exploited in the wild" if there is a publicly available PoC or exploit (example: in an exploitation framework like Metasploit).
Here can be found technical analysis: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/
And here is working exploit: https://github.com/aaronsvk/CVE-2020-3956
(I am an author)
Enjoy! :)
@aaronsvk This is great! You’re the person who discovered the vuln, too, yes? Really nice work.
Yes, I am. Thank you @ccondon-r7
Fantastic work, @aaronsvk. Thank you!