A newly discovered vulnerability in VMware Cloud Director allows attackers who have compromised one account to spread to all the other accounts in a data center.
Previously marketed as vCloud Director (and before that as vCloud Hybrid Service), VMware Cloud Director is a cloud service-delivery platform widely used to deploy and manage virtual datacenters and manage virtual cloud resources.
“VMware is aware of the vulnerability,” Stefanie Cannon, a VMware spokesperson, told Data Center Knowledge.
VMware issued a security advisory to its customers in late May, she explained, but declined to comment further. “This is our public statement on the issue,” she said.
The good news is that VMware has released an upgrade to its software that fixes the problem, as well as a set of workarounds for cases where the Cloud Director software can’t be upgraded. It’s also good news that only a couple of thousand public-facing servers are vulnerable, according to Tomas Zatko, CEO at Citadelo, the company that discovered the vulnerability.
The bad news is that a server running VMware Cloud Director doesn’t have to be exposed to the internet for the hackers to attack it, and there will probably be companies that don’t react fast enough to fix the problem before the attackers find them.