Big vCloud Director Security Gotchas That I Have Found

This post includes an important security “gotcha” that I recently uncovered with vCloud Director 1.5 running on vSphere 5. If you are using vCloud Director, you should check your settings.

The BIG Security Issue

I scanned the vCloud Security Hardening Guide to see if I could find a mention of this issue, but I found nothing. I also did some Google searches and found nothing. It is a weird thing too. If you have a vApp with one or more VMs and you have enabled guest customization, you can set the properties of the VM to either specify a password or generate a random admin password. Part one of this issue is the fact that the specified password is entered in clear text! You don’t get the expected ****** when you type in the password. The second part of this issue is that you can deploy a vApp from a catalog and then go into the properties of a VM and see the password in clear text! This happens even with a user that only has the “Console Access Only” role assigned. Check out these screenshots:

Specifying Password

Specifying Password

Exposed Password

Exposed Password

 

Exposes Generated Password

Exposes Generated Password

 

 

The Big Fix

There is a vApp right enabled in all of the roles called Manage VM Password Settings. Any user with this right enabled will be able to see the VM’s administrator password. All of the stock roles in vCloud Director 1.5 have this right enabled. I suggest that you make copies of the user roles that you will use and uncheck this right:

vApp User Role - No Password

vApp User Role - No Password

This will mask the password from users without the right:

Masked Password

Masked Password

 

Hopefully, the next version of vCloud Director will have this right disabled on all roles except the admin roles. Even with that, there is still the risk of an “over the shoulder” password security breach.

  1. Hi Dave,
    I work for EMC, follow your blog and tweets, and would like to invite you to a special webcast/Q&A. I couldn’t find your email, so I’ll leave you mine. I’d like to send you more information on this event. I hope to hear from you.
    Chris
    chris [dot] britt [at] emc [dot] com

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">