VMware discloses critical VCD Appliance auth bypass with no patch

VMware disclosed a critical and unpatched authentication bypass vulnerability affecting Cloud Director appliance deployments.

Cloud Director enables VMware admins to manage their organizations' cloud services as part of Virtual Data Centers (VDC).

The auth bypass security flaw only affects appliances running VCD Appliance 10.5 that were previously upgraded from an older release. The company also added that CVE-2023-34060 does not impact fresh VCD Appliance 10.5 installs, Linux deployments, and other appliances.

Unauthenticated attackers can remotely exploit the bug in low-complexity attacks that don't require user interaction.

"On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console)," VMware explains.

"This bypass is not present on port 443 (VCD provider and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present."

No patch, a workaround is available

While VMware doesn't have a patch for this critical authentication bypass, the company provided admins with a temporary workaround until security updates are released.

"VMware released VMware Security Advisory VMSA-2023-0026 to help customers understand the issue and which upgrade path will fix it," VMware says in a separate advisory.

The workaround shared by VMware will only work for affected versions of VCD Appliance 10.5.0, and it requires downloading a custom script attached to this knowledgebase article and running it on cells exposed to the CVE-2023-34060 vulnerability.

According to VMware, the workaround does not cause any functional disruptions, and downtime is not a concern as neither a service restart nor a reboot is necessary.

In June, the company also fixed an ESXi zero-day used by Chinese state hackers for data theft and alerted customers to an actively exploited critical bug in the Aria Operations for Networks analytics tool.

More recently, in October, it patched a critical vCenter Server flaw (CVE-2023-34048) that can be exploited for remote code execution attacks.