cbcvebase.
CVE-2023-34060
published 2023-11-14

CVE-2023-34060: VMware Cloud Director Appliance contains an authentication bypass vulnerability in case VMware Cloud Director Appliance was upgraded to 10.5 from an older…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.34%
67.9th percentile
VMware Cloud Director Appliance contains an authentication bypass vulnerability in case VMware Cloud Director Appliance was upgraded to 10.5 from an older version. On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console) . This bypass is not present on port 443 (VCD provider and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present. VMware Cloud Director Appliance is impacted since it uses an affected version of sssd from the underlying Photon OS. The sssd issue is no longer present in versions of Photon OS that ship with sssd-2.8.1-11 or higher (Photon OS 3) or sssd-2.8.2-9 or higher (Photon OS 4 and 5).

Affected

1 ranges
VendorProductVersion rangeFixed in
vmwarecloud_director< 10.510.5

Detection & IOCsextracted from sources · hover to see the quote

port5480
commandclient.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False)
  • Monitor for unauthenticated or anomalous SSH login attempts on port 22 to VMware Cloud Director Appliance 10.5 hosts that were upgraded from an older version — successful logins bypassing normal authentication are indicative of exploitation.
  • Monitor for unauthenticated or anomalous access attempts on port 5480 (VCD appliance management console) on upgraded VCD Appliance 10.5 instances.
  • Exploit PoC uses hardcoded credentials 'root'/'vmware' over SSH — alert on SSH authentication attempts using these credentials against VCD appliance hosts.
  • The bypass is NOT present on port 443; focus detection on ports 22 and 5480 exclusively for this CVE.
  • Only upgraded (not fresh-install) VCD Appliance 10.5 instances are vulnerable; scope detection to appliances known to have been upgraded from an older version.
  • The underlying vulnerable component is sssd from Photon OS; check for sssd versions below sssd-2.8.1-11 (Photon OS 3) or sssd-2.8.2-9 (Photon OS 4 and 5) as a host-based indicator of a vulnerable system.
  • ·Vulnerability only affects VCD Appliance 10.5 instances that were UPGRADED from an older version — fresh installs of 10.5 are NOT affected.
  • ·Linux deployments and other (non-appliance) VCD deployment types are not impacted.
  • ·A workaround script is available for VCD Appliance 10.5.0 that does not require a service restart or reboot, and does not cause functional disruptions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.