AttackerKBAKB:A1CDD92E-0914-48F5-94EC-0607F6DDB0C9CVE-2020-3956: VMware Cloud Director Code Injection Vulnerability
EPSS
Percentile
98.8%
VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.
Recent assessments:
wvu-r7 at May 20, 2020 6:57pm UTC reported:
The software requires purchase to download, and a VMware login is required to access the download page. The βOpen Source Disclosure Packageβ contains only open-source JARs β no patch to analyze.
VMware provides a workaround here in the form of a shell script, reproduced below.
#!/bin/bash
# Copyright 2020 VMware, Inc. All rights reserved.
# This script patches vCloud Director cell to protect against CVE-2020-3956
# 1. download 'WA_CVE-2020-3956.sh' in all vCD Servers repeat steps from 2-4 in all servers
# 2. chmod 740 WA_CVE-2020-3956.sh
# 3. Run ./WA_CVE-2020-3956.sh
readonly VCD_HOME="/opt/vmware/vcloud-director"
readonly BVAL_ROOT_DIR="$VCD_HOME/system/org/apache/bval/org.apache.bval.bundle"
readonly VMW_BVAL_DIR="$BVAL_ROOT_DIR/1.1.1.vmw"
readonly BVAL_DIR="$BVAL_ROOT_DIR/1.1.1"
readonly ELF_CLASS="org/apache/bval/el/ELFacade*.class"
readonly ZIP_CMD="/usr/bin/zip"
WIDTH=80
function is_zip_pkg_not_found()
{
[ ! -f "$ZIP_CMD" ]
}
function is_bval_found()
{
[ -f "$BVAL_DIR/org.apache.bval.bundle-1.1.1.jar" ]
}
function is_bval_vmw_found()
{
[ -f "$VMW_BVAL_DIR/org.apache.bval.bundle-1.1.1.vmw.jar" ]
}
function start_vcd () {
/etc/init.d/vmware-vcd restart
if [ $? -ne 0 ]; then
fmt -w$WIDTH <<EOF
Start up failed; you should review the logs in ${VCD_HOME}/logs for details.
EOF
fi
}
function service_start()
{
chown vcloud:vcloud "$BVAL_DIR"/org.apache.bval.bundle-1.1.1.jar
chown root:vcloud "$VCD_HOME"/bin/vmware-vcd-cell-common
chmod 0640 "$VCD_HOME"/bin/vmware-vcd-cell-common
echo "--------------------------------------------------------------"
echo "This cell has been patched. Restarting service... "
echo "--------------------------------------------------------------"
start_vcd
}
function security_fix()
{
if is_bval_found; then
class_count=$($ZIP_CMD -sf $BVAL_DIR/org.apache.bval.bundle-1.1.1.jar | grep $ELF_CLASS | wc -l)
if [ "$class_count" != 0 ]; then
$ZIP_CMD -dq $BVAL_DIR/org.apache.bval.bundle-1.1.1.jar $ELF_CLASS
service_start
else
echo "This cell is protected against CVE-2020-3956"
echo "--------------------------------------------------------------"
fi
fi
}
echo "Assessing your cell ....."
echo "--------------------------------------------------------------"
if [ -d "$VCD_HOME" ]; then
echo "vCloud Director cell path found and scanning your system, "
if is_bval_vmw_found; then
echo "--------------------------------------------------------------"
echo "This cell is protected against CVE-2020-3956"
echo "--------------------------------------------------------------"
exit 0
elif is_zip_pkg_not_found; then
echo "---------------------------------------------------------------"
echo "zip package not found, it must be installed to run this script."
echo "---------------------------------------------------------------"
exit 0
fi
security_fix
else
echo "--------------------------------------------------------------"
echo "vCloud Director cell path not found. "
echo "--------------------------------------------------------------"
exit 0
fi
The workaround removes any org/apache/bval/el/ELFacade*.class files from /opt/vmware/vcloud-director/system/org/apache/bval/org.apache.bval.bundle/1.1.1/org.apache.bval.bundle-1.1.1.jar. ELFacade deals with Java EL expressions, which suggests an EL injection vulnerability.
Note that this vulnerability is post-auth! This somewhat limits the exposure of the vuln, but no one said getting creds was difficult. Patch!
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 2
Related
