VMware has rolled out fixes for issues in their Cloud Director platforms.
VMware Cloud Director is a cloud management platform that enables service providers to build and manage secure, multi-tenant clouds and virtual data centers. Cloud Director plugins are extensions that enhance its functionality by adding features such as improved automation, advanced reporting, and extended management options.
We're diving into CVE-2024-22276 and CVE-2024-22277 vulnerabilities, which were found in the VMware Cloud Director Object Storage Extension and VMware Cloud Director Availability plugin respectively. This article will break down what these vulnerabilities mean, how they might affect your systems, and the steps Broadcom has taken to secure these gaps.
HTML injection CVE-2024-22277
HTML injection is a security vulnerability that allows attackers to insert HTML code into a web page viewed by other users. This type of vulnerability can have a variety of consequences, depending on the attacker's intent and the context of the application.
At its core, HTML injection involves the embedding of HTML or JavaScript (known as cross-site scripting) code into web pages. This can happen when an application takes user input and outputs it onto web pages without proper validation and escaping. For instance, if a user is allowed to input HTML tags as part of an object that is directly displayed on a webpage, this can be exploited to alter the appearance of the page or inject malicious content.
The consequences of HTML injection can vary from minor to significantly harmful. On the less severe end, attackers might alter the page layout or insert nonsensical content, causing inconvenience and annoyance to users. This can be considered a form of denial of service. More seriously, attackers could redirect visitors to malicious websites or manipulate web forms to submit private data to external destinations. By modifying hyperlinks or adding new ones, attackers can create phishing sites that mimic legitimate pages, deceiving users into entering personal information.
During the penetration test we identified the vulnerability described above in the VMware cloud director availability plugin. The vulnerable field was Plan name in the Create recovery plan functionality that can be found in the Recovery Plans tab. The payload is executed after the particular affected plan gets executed and therefore appears in the Replication Tasks tab.
It is demonstrated in the screenshot below:
To reproduce this vulnerability, the following chain of actions can be followed:
- Open the avaliability plugin.
- Go to the Recovery Plans tab.
- Create a new Recovery Plan or Migration Plan.
- Put an HTML tag in the Plan name field. This will be sent to the server as the value of the displayName parameter of the HTTP POST request after submitting the creation of the Recovery plan. The example payload - HTML tag is placed below.
'"><img src='https://www.a1.net/favicon.ico'/> - Open the Replication Tasks tab. The the HTML tag should be interpreted by the browser and favicon of A1 should be displayed in the Target field.
Session cookies transmitted in URL CVE-2024-22276
Another vulnerability that was identified at VMWare Cloud Director informs about transmitting session token in GET parameters. This means that session tokens, which are meant to authenticate users and maintain their active sessions, were included in the URL. While this might seem harmless at first glance, it poses significant security risks.
When session tokens are included in URLs, they can be exposed through various means such as browser history, server logs, or third-party analytics. These tokens are sensitive pieces of information that, if intercepted, can lead to session hijacking. This type of attack allows an unauthorized party to gain access to a user's session, potentially leading to unauthorized access to sensitive information and actions.
Our experience showed that session tokens logged in server logs or browser history can be exploited. For example, attackers accessing server logs through vulnerabilities like Local File Inclusion (LFI), path traversal or improper file permissions can retrieve these tokens. Once obtained, the attacker can impersonate the user, leading to session hijacking. This exposure, combined with other vulnerabilities, significantly increases the risk.
During the security assessment it turned out that the Object Storage plugin of the VMware Cloud Director transmits sensitive data such as session token - JsonWebToken (JWT) on via HTTP GET request, in parameter that is a part of the URL demonstrated below:
- /api/v3/<bucket>/<file>?token=<JWT>
Timeline
15.04.2024 - The A1 Digital Security Professional Services team, in coordination with the A1 Telekom Customer Datacenter & Service Enabler team, reported three vulnerabilities to the VMware security team.
Responsible disclosure included a high-severity remote code execution flaw (with CVSS changed scope). Notably, this critical vulnerability had been fixed shortly before the report (existed in older version).
09.05.2024 - Two vulnerabilities out of three have been officially accepted.
15.05.2024 - Disclosure date have been agreed
27.06.2024 - Published first (of two) VMware Security Advisory for responsible disclosure of VMware Cloud Director Object Storage Extension:
04.07.2024 - VMware Security Advisory was published for VMware Cloud Director Availability:
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24557
