VMWare has reported a critical and yet unpatched authentication bypass vulnerability that affects Cloud Director appliance deployments. Cloud Director is a tool employed by VMWare administrators to manage their organizations' cloud services as part of Virtual Data Centers (VDC). The authentication bypass security flaw specifically impacts appliances running VCD Appliance 10.5 that were upgraded from an older version. It's important to note that this vulnerability, CVE-2023-34060, does not affect new installations of VCD Appliance 10.5, Linux deployments, or other appliances.
The vulnerability can be remotely exploited by unauthenticated attackers in low-complexity attacks that do not require user interaction. As VMWare explains, 'On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console). This bypass is not present on port 443 (VCD provider and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present.'
While VMWare has yet to provide a patch for this critical authentication bypass, a temporary workaround has been provided for administrators until security updates are available. VMWare released a Security Advisory VMSA-2023-0026 to help customers understand the issue and the upgrade path that will rectify it. The workaround is applicable only to the affected versions of VCD Appliance 10.5.0 and involves downloading a custom script attached to a knowledgebase article and running it on cells vulnerable to the CVE-2023-34060. VMWare assures that this workaround does not cause any functional disruptions, and there is no need for concern about downtime as neither a service restart nor a reboot is necessary.
In past months, VMWare has also addressed other security issues. In June, the company fixed an ESXi zero-day exploited by Chinese state hackers for data theft and warned customers about an actively exploited critical bug in the Aria Operations for Networks analytics tool. More recently, in October, it patched a critical vCenter Server flaw (CVE-2023-34048) that could be exploited for remote code execution attacks.