VMware discloses critical, unpatched Cloud Director bug

VMware on Tuesday disclosed a critical vulnerability in appliance versions of its cloud service delivery platform, and a patch is not yet available.

CVE-2023-34060 is an authentication bypass flaw affecting certain versions of VMware Cloud Director Appliance. It affects instances of the platform that have been upgraded to version 10.5 from an older version, though new deployments of 10.5 are not affected. Older versions of Cloud Director Appliance, 10.4.x and below, also remain unaffected.

"On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console)," the advisory read. "This bypass is not present on port 443 (VCD provider and tenant login)."

VMware rated the vulnerability a 9.8 on CVSS version 3 -- one of the highest severity ratings possible on the scoring system. Discovery was credited to Dustin Hartle, systems engineer at IT services firm Ideal Integrations.

According to a second security advisory published to GitHub, the issue primarily involves open source Linux-based operating system Photon OS and a system service it uses known as the System Security Services Daemon (SSSD). "VMware Cloud Director Appliance is impacted since it uses a version of sssd from the underlying Photon OS that is affected by CVE-2023-34060," VMware noted in its primary advisory.

While a patch is not yet available, the virtualization vendor has provided a manual workaround for vulnerable customers to apply until a patch is released. The workaround is a script that addresses the issue without requiring a reboot, service restart or system downtime, according to VMware.

A VMware spokesperson told TechTarget Editorial that the company was not aware of any exploitation from threat actors at press time.

"VMware is not aware of exploitation in the wild at this time for CVE-2023-34060. Our security advisory provides guidance that affected customers can follow to fix the issue and protect their environment, and a patch is forthcoming," the spokesperson said. "The security of our customers is a top priority, and we encourage all customers to sign up for our security advisory mailing list to receive the latest information."

Caitlin Condon, Rapid7's head of vulnerability research, told TechTarget Editorial in an email that the flaw "made Rapid7 research's watchlist" when it was disclosed due to the wide exploitation that products similar to Cloud Director face.

"While the product itself (Cloud Director) isn't one that has come up as a large-scale attack target over the past few years, we know that vulnerabilities in virtualization mainstays like vCenter Server/ESXi have been widely exploited, including in ransomware campaigns," she said. "Likewise, vulnerabilities in appliances (like vCloud Director) have been broadly exploited by a range of threat actors for initial access to corporate networks as well as for ransomware deployment."

Tenable staff research engineer Scott Caveza said the vulnerability should be a "major concern" for organizations using VMware Cloud Director. He added that what is "most troubling" about the flaw is the need for organizations to apply a manual remediation on every affected device.

"If an unauthenticated attacker can bypass the need for credentials to access the SSH interface or management console, that attacker can modify configurations, establish persistent access for further abuse and more," Caveza said.

Jérôme Segura, senior director of threat intelligence at Malwarebytes, said CVE-2023-34060 "is an important vulnerability to patch for companies that upgraded from an older version of VMware Cloud Director." He noted that a Shodan scan showed that there are thousands of servers running VMware Cloud Director.

Pieter Arntz, malware analyst at Malwarebytes, added, "This could potentially turn very ugly, given the ease of exploitation and the lack of an easy patch."

VMware vulnerabilities have come under attack from a variety of threat actors recently. In mid-June, Google Cloud-owned Mandiant revealed that a Chinese nation-state threat actor had been exploiting a zero-day in VMware hypervisor ESXi. And later that month, VMware confirmed that a critical vulnerability in VMware Aria Operations for Networks was under active exploitation.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.