VMware has revealed a serious and unpatched authentication bypass vulnerability affecting Cloud Director appliance deployments. The flaw is present in appliances running VCD Appliance 10.5 that have been upgraded from an older release, allowing unauthenticated attackers to exploit it remotely without requiring user interaction. VMware has acknowledged the critical nature of the vulnerability and is actively working on a permanent fix.
In the meantime, the company has provided administrators with a temporary workaround to mitigate the risk until an official patch is made available. This workaround is specific to affected versions of VCD Appliance 10.5.0 and involves running a custom script to address the authentication bypass vulnerability.
The authentication bypass security flaw is significant as it can be remotely exploited by unauthenticated attackers with network access to the appliance. The issue occurs when authenticating on port 22 (ssh) or port 5480 (appliance management console) in appliances that have been upgraded from an older release to VCD Appliance 10.5. However, the bypass is not present on port 443 (VCD provider and tenant login).
VMware emphasizes that the flaw does not impact fresh VCD Appliance 10.5 installs, Linux deployments, and other appliances. While there is currently no official patch for the critical vulnerability, VMware has released a security advisory (VMSA-2023-0026) to guide customers and provide information on the available upgrade paths.
VMware’s workaround for the authentication bypass vulnerability is applicable to affected versions of VCD Appliance 10.5.0. The workaround involves downloading a custom script provided by VMware and running it on cells exposed to the CVE-2023-34060 vulnerability.
According to VMware, implementing this workaround does not cause any functional disruptions, and downtime is not a concern as neither a service restart nor a reboot is necessary. Administrators are advised to carefully follow VMware’s guidance and apply the workaround to secure their Cloud Director appliance deployments until a permanent solution in the form of an official patch is released.