CVE-2020-3956: VMware Cloud Director Code Injection Vulnerability

2020-05-2000:00:00

attackerkb.com

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

JSON

VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.

Recent assessments:

wvu-r7 at May 20, 2020 6:57pm UTC reported:

The software requires purchase to download, and a VMware login is required to access the download page. The “Open Source Disclosure Package” contains only open-source JARs – no patch to analyze.

VMware provides a workaround here in the form of a shell script, reproduced below.

#!/bin/bash

# Copyright 2020 VMware, Inc.  All rights reserved.

# This script patches vCloud Director cell to protect against CVE-2020-3956
# 1. download 'WA_CVE-2020-3956.sh' in all vCD Servers repeat steps from 2-4 in all servers
# 2. chmod 740 WA_CVE-2020-3956.sh
# 3. Run ./WA_CVE-2020-3956.sh

readonly VCD_HOME="/opt/vmware/vcloud-director"
readonly BVAL_ROOT_DIR="$VCD_HOME/system/org/apache/bval/org.apache.bval.bundle"
readonly VMW_BVAL_DIR="$BVAL_ROOT_DIR/1.1.1.vmw"
readonly BVAL_DIR="$BVAL_ROOT_DIR/1.1.1"
readonly ELF_CLASS="org/apache/bval/el/ELFacade*.class"
readonly ZIP_CMD="/usr/bin/zip"

WIDTH=80

function is_zip_pkg_not_found()
{
    [ ! -f "$ZIP_CMD" ]
}

function is_bval_found()
{
    [ -f "$BVAL_DIR/org.apache.bval.bundle-1.1.1.jar" ]
}

function is_bval_vmw_found()
{
	[ -f "$VMW_BVAL_DIR/org.apache.bval.bundle-1.1.1.vmw.jar" ]
}

function start_vcd () {
    /etc/init.d/vmware-vcd restart
    if [ $? -ne 0 ]; then
        fmt -w$WIDTH &lt;&lt;EOF
Start up failed; you should review the logs in ${VCD_HOME}/logs for details.
EOF
    fi
}

function service_start()
{
    chown vcloud:vcloud "$BVAL_DIR"/org.apache.bval.bundle-1.1.1.jar
    chown root:vcloud "$VCD_HOME"/bin/vmware-vcd-cell-common
    chmod 0640 "$VCD_HOME"/bin/vmware-vcd-cell-common
    echo "--------------------------------------------------------------"
    echo "This cell has been patched. Restarting service...             "
    echo "--------------------------------------------------------------"

    start_vcd

}

function security_fix()
{
    if is_bval_found; then
      class_count=$($ZIP_CMD -sf $BVAL_DIR/org.apache.bval.bundle-1.1.1.jar | grep $ELF_CLASS | wc -l)
      if [ "$class_count" != 0 ]; then
	    $ZIP_CMD -dq $BVAL_DIR/org.apache.bval.bundle-1.1.1.jar $ELF_CLASS
        service_start
      else
        echo "This cell is protected against CVE-2020-3956"
        echo "--------------------------------------------------------------"
      fi
    fi
}


echo "Assessing your cell ....."
echo "--------------------------------------------------------------"

if [ -d "$VCD_HOME" ]; then
    echo "vCloud Director cell path found and scanning your system, "
    if is_bval_vmw_found; then
        echo "--------------------------------------------------------------"
        echo "This cell is protected against CVE-2020-3956"
        echo "--------------------------------------------------------------"
        exit 0
    elif is_zip_pkg_not_found; then
        echo "---------------------------------------------------------------"
        echo "zip package not found, it must be installed to run this script."
        echo "---------------------------------------------------------------"
        exit 0
    fi
    security_fix
    else
      echo "--------------------------------------------------------------"
      echo "vCloud Director cell path not found. "
      echo "--------------------------------------------------------------"
      exit 0
fi

The workaround removes any org/apache/bval/el/ELFacade*.class files from /opt/vmware/vcloud-director/system/org/apache/bval/org.apache.bval.bundle/1.1.1/org.apache.bval.bundle-1.1.1.jar. ELFacade deals with Java EL expressions, which suggests an EL injection vulnerability.

Note that this vulnerability is post-auth! This somewhat limits the exposure of the vuln, but no one said getting creds was difficult. Patch!

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 2