Security News > 2020 > June > VMware flaw allows takeover of multiple private clouds

VMWare's VMware Cloud Director has a security flaw that researchers believe could be exploited to compromise multiple customer accounts using the same cloud infrastructure.

A few weeks back, security pen testing company Citadelo chanced upon what looks like a significant vulnerability while it was carrying out an audit for a VMware customer.

The researchers developed a proof-of-concept that used the web-based interface or the platform's Application Programming Interface capable of taking over multiple private clouds on any vulnerable provider.

VMware learned of the flaw in early April, issuing patches for affected versions of vCloud Director and Cloud Director during early May. The updated, fixed versions are vCloud Director versions 9.7.0.5, 10.0.0.2, 9.1.0.4, and 9.5.0.6, with the patch alert going out on 19 May. Organisations that can't update for whatever reason are offered suggestions for mitigating the issue.

These days, despite numerous layers of encryption and segmentation, VMware still needs careful attention, having fixed a significant but lower-level VM flaw in March.

News URL

https://nakedsecurity.sophos.com/2020/06/03/vmware-flaw-allows-takeover-of-multiple-private-clouds/