What You Need to Know About VMware's Latest Software Upgrade
By: Alan Seal on August 6, 2020
VMware Cloud Director is used by a wide variety of public and private cloud providers to manage their cloud services. Previously known as vCloud Director and vCloud Hybrid Service, Cloud Director allows providers to manage software-defined data centers filled with virtual machines to deliver reliable and affordable cloud hosting. When enterprises face the question of cloud vs on-premises vs colocation when it comes to their IT infrastructure, VMware is often the chosen solution for those who decided to migrate to the cloud.
Unfortunately, the cloud isn’t without its security risks, as the recent news about a vulnerability in the VMware Cloud Director service demonstrates.
VMware's Vulnerability Exposed
The flaw in VMware’s Cloud Director platform was uncovered by the cybersecurity firm Citadelo during a security audit for a Fortune 500 company that utilized Cloud Director. They followed up by a series of tests to exploit the vulnerability, which allowed researchers to not only access internal system databases containing passwords and customer data such as email and IP addresses, but also to modify databases to tamper with virtual machines, escalate access privileges, and steal credentials.
Most troubling, however, was the revelation that hackers could use code injection to move from a compromised application to the underlying VMware environment. That would allow them to not only gain access to an entire private cloud, but also to access and control all cloud accounts within the infrastructure.
After being informed of the vulnerability on April 1, VMware reproduced the vulnerability (tracked as CVE-2020-3956) and got to work on a security patch. The situation was made public in late May when patches and workarounds became available, at which time VMware announced that the vulnerability had been given a CVSSv3 score of 8.8, just short of the most severe 9-10 “critical” range.
Potential Security Risks
While software upgrades have fixed most of the problems, not all customers have been able to perform an update. Although VMware has provided workarounds for these customers, there is no guarantee that all of them have implemented those precautions. According to Citadelo researchers, cloud hosting providers using VMware Cloud Director face the greatest risk, especially if they offer free trial accounts.
“Many providers offer free trial accounts because they want to make things easy for their customers,” said Tomas Zatko, CEO of Citadelo, in an interview with Data Center Knowledge. “Many times, you don’t even need to provide real information about yourself or your company. You can provide fake information and stay anonymous. Then you can create trial accounts and use the vulnerability to take control of everything.”
Is the Cloud Secure Enough for Your Data?
In almost every respect, this vulnerability is the absolute nightmare scenario for any cloud computing customer. From the earliest days of cloud computing, there have always been concerns that if one portion of the cloud were to be compromised, the attacker would be able to penetrate the infrastructure supporting the virtual machines and access everything.
The recent VMware problems will likely cause many enterprises to reassess whether the cloud is secure enough for their data. In most cases, the multiple layers of security utilizing encryption, segmentation, and traffic isolation are enough to prevent attacks, but every application contains vulnerabilities. It’s just a matter of who finds them first. When hackers discover them, they often sell the secret to other attackers and try to carry out as many intrusions as possible before they’re detected. Every organization’s network faces this risk, but when it comes to cloud hosting providers, a security vulnerability could impact every one of their customers.
Protecting Your Data
Organizations using cloud computing services can take a number of steps to keep their data secure despite the inherent security vulnerabilities of the cloud. One of the best strategies is to build a hybrid IT environment within a colocation data center. This approach allows companies to keep their mission-critical data and applications stored in physical equipment where they can use a high level of control and oversight to maintain rigid security standards.
These private servers can then be connected to whatever cloud services an organization requires using zero-trust network access (ZTNA). Far more secure than a traditional virtual private network (VPN), ZTNA uses segmentation to ensure that someone accessing network applications will not be able to use that access to move laterally through the network and exploit other systems.
While the VMware vulnerability poses a significant threat, any hacker who manages to exploit it will be confined to the cloud infrastructure. If an organization is able to segment its essential systems and data in physical servers in a colocation facility, it can still protect itself from suffering a damaging data breach by ensuring that the cloud administrator privileges cannot extend into the physical infrastructure.
Secure Your Network with vXchnge
As an award-winning colocation provider, vXchnge takes cybersecurity threats very seriously. It’s why we hold a full range of compliance certificates and attestations to demonstrate that we have the controls and systems in place to mitigate risk for our customers. Every one of our strategically positioned colocation data centers is staffed by remote hands personnel 24x7x365 to keep a close watch over your assets. We can even connect you to a variety of trusted managed security service providers that can set up the cybersecurity systems that will keep your essential data secure.