By 
Hacking company Citadelo’s security researchers revealed details for a new serious flaw in VMware’s Cloud Director platform, tracked as CVE-2020-3956, that could be exploited to capture corporate servers.
A cloud service-delivery platform, VMware Cloud Director lets organizations run and handle successful cloud-service businesses. Using the platform, cloud providers deliver safe, resourceful, and flexible cloud resources to a number of companies and IT teams worldwide.
The susceptibility could possibly allow a genuine attacker to gain access to business network, access to sensitive data, and control private clouds within a complete infrastructure.
“A code injection vulnerability in VMware Cloud Director was privately reported to VMware. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products.” reads the advisory published by VMware. “VMware Cloud Director does not properly handle input leading to a code injection vulnerability.”
The CVE-2020-3956 fault is a code injection problem that is triggered by the inappropriate input management that could be caused by an attacker by sending malicious traffic to Cloud Director, resulting in the implementation of arbitrary code. The fault received a score of 8.8 out of 10 on the CVSS v.3 vulnerability severity scale.
“An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.” continues the advisory.
Researchers from Citadelo exposed the issue while carrying out a security audit of the cloud infrastructure of an unidentified Fortune 500 enterprise customer.
In a blog post the investigators clarified that a single simple form submission can be deployed to gain control of any Virtual Machine (VM) within VMware Cloud Director.
“Everything started with just a simple anomaly. When we entered ${7*7} as a hostname for the SMTP server in vCloud Director, we received the following error message: String value has an invalid format, value: [49],” “It indicated some form of Expression Language injection, as we were able to evaluate simple arithmetic functions on the server-side.”
