VMware has fixed a critical authentication bypass vulnerability in Cloud Director appliance deployments, a bug that was left unpatched for over two weeks since it was disclosed on November 14th.
Cloud Director is a VMware platform that enables admins to handle data centers spread across multiple locations as Virtual Data Centers (VDC).
The auth bypass security flaw (CVE-2023-34060) only impacts appliances running VCD Appliance 10.5 that were previously upgraded from an older release. However, VMware says it doesn’t affect fresh VCD Appliance 10.5 installs, Linux deployments, and other appliances.
Remote attackers can remotely exploit the CVE-2023-34060 bug in low-complexity attacks that don’t demand user interaction.
“On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console),” VMware explains.
“This bypass is not present on port 443 (VCD provider and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present.”
Workaround also available
The company also provides a temporary workaround for admins who cannot immediately install the security patch.
“VMware released VMware Security Advisory VMSA-2023-0026 to help customers comprehend the issue and which upgrade path will fix it,” VMware says in a separate advisory.
The workaround shared by VMware only works for affected versions of VCD Appliance 10.5.0, and it requires downloading a custom script and running it on cells vulnerable to CVE-2023-34060 attacks.
This workaround does not provoke any functional disruptions, according to VMware, and downtime is also not a concern since neither a service restart nor a reboot is necessary.
In June, VMware patched an ESXi zero-day (CVE-2023-20867) exploited by Chinese cyberspies for data theft and alerted customers to an actively abused critical flaw in the Aria Operations for Networks analytics tool.
More recently, in October, it also fixed a critical vCenter Server flaw (CVE-2023-34048) that can be used for remote code execution attacks.