VMware has issued an advisory (VMSA-2023-0026) for an authentication bypass vulnerability (CVE-2023-34060) against its VMware Cloud Director Appliances. The vulnerability is rated critical with a 9.8 out of 10 CVSS severity score. This new exploit could allow unauthenticated attackers to obtain access to vulnerable appliances without credentials.
VMware Zero Day
It’s important to note that this vulnerability was disclosed privately to VMWare, meaning that any proof-of-concept code will be kept secret either indefinitely, or until a defined period of time has passed. In theory, this delay should allow time for diligent users to apply necessary patches. The existence of a known bypass, however, will incentivize malicious threat actors to quickly find and replicate the authentication bypass against target systems before patches are applied.
As part of the advisory, VMware stated that the vulnerability affects VMware Cloud Director Appliances that have been updated to version 10.5 from a previous version. Appliances which had fresh installations of version 10.5 are not vulnerable. This vulnerability also does not impact Linux deployments of the Appliance. Also noted was this vulnerability only impacts TCP Port 22, and 5480 management ports, not the TCP 443 tenant login port. While this information was shared to help organization’s scope impact, this information could be utilized by threat actors and researchers in identifying the vulnerable code as a comparison of the authentication process can be performed between the two types of installation. It will be important for organizations that utilize affected appliances to keep track of any announcements related to this vulnerability over the coming weeks, in case additional guidance becomes available.
Moving forward, it will also be important to stay alert for related Day One Exploits. Day One Exploits are exploits created after a patch has been released, in which threat actors and researchers alike reverse engineer what the patch did to identify the vulnerable functions and code within a product. Therefore, while no public exploits are currently available, it is probable that an exploit will exist in the future either prior to or shortly after patching has occurred.
In order to remediate this vulnerability before an official patch is provided, users should follow the guidance in KB95534, outlined below. Per VMware executing the above script will not cause disruptions, downtime, or require a system reboot.
VMware Zero Day Redmediation
Perform the following steps using this script:
- SSH to Primary Cell within the Server Group.
- Download the attached WA_CVE-2023-34060.sh script to the /opt/vmware/vcloud-director/data/transfer/ directory.
- Modify the permissions of the file to allow execution.
- chown root:vcloud /opt/vmware/vcloud-director/data/transfer/WA_CVE-2023-34060.sh
- chmod 740 /opt/vmware/vcloud-director/data/transfer/WA_CVE-2023-34060.sh
- Navigate to the Transfer directory of the Cell.
- cd /opt/vmware/vcloud-director/data/transfer/
- Execute the script.
- ./WA_CVE-2023-34060.sh
- Repeat Step 4 and Step 5 above on all remaining Cells within the Server Group.
If you cannot apply the above patch, White Oak Security recommends the following action:
Restrict network access to the devices on TCP port 22 and 5480 to mitigate some of the risk of the exploitation, assuming the systems are running on a standard port configuration.