VMware has mounted a important authentication bypass vulnerability in Cloud Director equipment deployments, a bug that was left unpatched for over two weeks because it was disclosed on November 14th.
Cloud Director is a VMware platform that allows admins to handle knowledge facilities unfold throughout a number of areas as Digital Information Facilities (VDC).
The auth bypass safety flaw (CVE-2023-34060) solely impacts home equipment operating VCD Equipment 10.5 that had been beforehand upgraded from an older launch. Nevertheless, VMware says it does not have an effect on recent VCD Equipment 10.5 installs, Linux deployments, and different home equipment.
Distant attackers can remotely exploit the CVE-2023-34060 bug in low-complexity assaults that do not require consumer interplay.
“On an upgraded model of VMware Cloud Director Equipment 10.5, a malicious actor with community entry to the equipment can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (equipment administration console),” VMware explains.
“This bypass just isn’t current on port 443 (VCD supplier and tenant login). On a brand new set up of VMware Cloud Director Equipment 10.5, the bypass just isn’t current.”
Workaround additionally obtainable
The corporate additionally offers a brief workaround for admins who can’t instantly set up the safety patch.
“VMware launched VMware Safety Advisory VMSA-2023-0026 to assist prospects perceive the difficulty and which improve path will repair it,” VMware says in a separate advisory.
The workaround shared by VMware solely works for affected variations of VCD Equipment 10.5.0, and it requires downloading a customized script and operating it on cells susceptible to CVE-2023-34060 assaults.
This workaround doesn’t trigger any useful disruptions, in response to VMware, and downtime can also be not a priority since neither a service restart nor a reboot is important.
In June, VMware patched an ESXi zero-day (CVE-2023-20867) exploited by Chinese language cyberspies for knowledge theft and alerted prospects to an actively abused important flaw within the Aria Operations for Networks analytics software.
Extra lately, in October, it additionally mounted a important vCenter Server flaw (CVE-2023-34048) that can be utilized for distant code execution assaults.
