Three critical security vulnerabilities were discovered recently in EMC and VMware backup and recovery tools. While...
these tools may not seem relevant to the cloud, the vulnerabilities do have implications for security in hybrid cloud architectures in which virtual machines may be shared or deployed in both internal and public cloud environments. In addition, some of these products may be in use within cloud provider environments, and they could put the cloud itself at risk.
The EMC and VMware security vulnerabilities are significant; EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance and vSphere Data Protection are all affected. The EMC products were actually found to be vulnerable late in 2017, but VMware didn't determine that vSphere Data Protection was at risk until early 2018.
The first issue could enable attackers to gain root access to the underlying management components of the EMC tools. This flaw, designated as CVE-2017-15548, is an authentication bypass that could lead to an unauthenticated attacker taking remote control of these services. While this is bad in itself, the deeper ramifications of the flaw are unfettered access to and control over backups of virtual machines, any of which may contain sensitive data, full memory contents, configuration details and more.
The second of the EMC and VMware security vulnerabilities, CVE-2017-15549, affects all of the EMC products, and it could enable an authenticated attacker with minimal privileges to upload malicious files to any part of the platforms' file system. This means an attacker could potentially overwrite configuration files, load web content that provides access to underlying system shells and more.
The final flaw, CVE-2017-15550, is a privilege escalation flaw that could enable an attacker with low privileges to access more privileged content within the servers' file system. An attacker could then pull password hashes or sensitive configuration files from the platforms, or even files related to virtual machine backups.
These EMC and VMware security vulnerabilities can only be exploited with some local network access, which would normally not be possible from the internet. Unfortunately, there are some cases of these systems being exposed to the internet -- accidentally or otherwise -- making attacks against the platforms much easier. Regardless of how the attackers get access to these platforms, this series of EMC and VMware security vulnerabilities highlights a number of concerns about which any security teams may want to be aware.
First, an attacker within an internal network environment may be able to execute privileged commands on systems that control major backup and replication functions for core data center platforms, like VMware vSphere. This means that virtual machine files could be accessed, copied or even modified -- potentially without the administration team knowing about it. Very few operations teams support file integrity monitoring on virtual machine files or backups, so it's highly likely that changes to these files would go unnoticed, at least for some period of time.
Changed virtual machines could then be backed up again -- and again -- leading to malicious changes propagating for long periods of time. This would largely be an issue in private cloud environments that are maintained within the confines of an organization's data center.
Second, and more relevant to cloud scenarios, changed virtual machines could be used to generate templates or instances in the public cloud. The same problems could ensue, but organizations may be even less likely to notice malicious activity unless they're carefully monitoring their cloud provider's environment.
Finally, the cloud providers themselves could be vulnerable if they're using the products affected by these EMC and VMware security vulnerabilities, and it's unlikely that tenants would know that these products were in use at all. This could potentially lead to the exposure of tenant systems or data depending on the architecture in place.
For both private and public cloud scenarios, major vulnerabilities in core infrastructure products like those from EMC and VMware can have far-reaching impacts. It's critical that virtualization and cloud operations teams apply patches as soon as possible for vulnerabilities like these, and cloud service providers' teams will, of course, need to do the same.