Expression Language injection bug gave attackers full access to private cloud accounts

VMware has patched a vulnerability in VMware Cloud Director that opened the door to the complete takeover of an organization’s cloud infrastructure through straightforward code injection.

Cloud Director allows cloud providers, governments, and large enterprises to create and manage virtual data centers, and serves over 500,000 customers worldwide.

But a flaw discovered by researchers at Citadelo could have allowed attackers to manipulate a single simple form submission and take over these private clouds, accessing sensitive data and modifying logins to capture the username and password of other users.

The company has issued a proof of concept that demonstrates the exploit in action:



“In general, cloud infrastructure is considered relatively safe because different security layers are being implemented within its core, such as encryption, isolating of network traffic, or customer segmentations,” says Tomas Zatko, CEO of Citadelo.

“However, security vulnerabilities can be found in any type of application, including the cloud providers themselves.”

Routine security audit

The code injection vulnerability, discovered by researchers Tomáš Melicher and Lukáš Václavík as part of a routine security audit for a Fortune 500 firm, allows an authenticated actor to send malicious traffic to VMware Cloud Director using the web-based interface or API calls.

“Cloud providers offering a free trial to potential new customers using VMware Cloud Director are at high risk because an untrusted actor can quickly take advantage,” warns the firm.

The discovery started with a simple anomaly, says the team: entering ${7*7} as a hostname for SMTP server in vCloud Director generated the error message: String value has invalid format, value: [49].


RECOMMENDED Researcher scoops $31k bug bounty for flagging SSRF vulnerabilities in Facebook


This led them to suspect some form of Expression Language injection, as they were able to evaluate simple arithmetic functions on the server side.

With a little experimentation, they were then able to call simple Java code, access arbitrary Java classes, and create their instances without parameters – and then create new instances of classes.

The next step was gaining access to foreign clouds. The researchers found that that all the sensitive data related to vCloud was stored in a remote database, and identified where its credentials were stored.

Unfortunately, the credentials were encrypted using AES, with an encryption key hardcoded in the source code of the vCloud Director.

After decompiling it, they found out that vCloud encryption is handled by a custom class – com.vmware.vcloud.common.crypto.EncryptionManager – and that credentials to the database could be easily obtained using a snippet of Java code.

“Now we have full access to the vCloud database, and we can access all the data,” they say.

Unbridled access

The researchers found they were able to view the content of the internal system database, including password hashes, and could modify it to steal external virtual machines assigned to different organizations within Cloud Director.

They could also escalate privileges from Organization Administrator – normally a customer account – to System Administrator, giving them access to all cloud accounts.

They could modify the login page to Cloud Director, allowing an attacker to capture other customers’ passwords in plaintext, including system administrator accounts.

And they could read other sensitive data related to customers, such as full names, email addresses, and IP addresses.

VMware has classified the vulnerability as ‘important’, and released new versions of the product containing a fix.

There’s currently no standalone patch for older versions, although VMware has released a workaround for customers who can’t carry out an update now.


YOU MIGHT ALSO LIKE WordPress security: Critical flaw fixed in bbPress forum plugin