VMware has just released an advisory (VMSA-2023-0026) addressing a critical authentication bypass vulnerability found in the VMware Cloud Director Appliance (VCD Appliance).
Designated as CVE-2023-34060, this vulnerability presents a substantial risk, boasting a CVSSv3 score of 9.8, signifying its critical severity. Dustin Hartle from Ideal Integrations Inc. initially reported this issue to VMware on November 14, 2023.
Critical CVE-2023-34060 Vulnerability in VMware Cloud
The Cybersecurity and Infrastructure Security Agency (CISA) has released a security alert advising users about the issue and urging prompt implementation of patch updates.
Identified as CVE-2023-34060, this authentication bypass vulnerability is present in VMware Cloud Director Appliance, especially in cases where the appliance underwent an upgrade to version 10.5 from a prior version.
VMware has assessed the severity of this issue as critical, assigning a maximum CVSSv3 base score of 9.8 to underscore its significant potential impact.
The critical nature of the vulnerability lies in its capacity to enable malicious actors with network access to circumvent login restrictions. This bypass is specifically viable on ports 22 (SSH) and 5480 (appliance management console) in upgraded versions of VMware Cloud Director Appliance 10.5.
Notably, as outlined in VMware’s advisory, the vulnerability is absent in new installations of version 10.5 and does not affect port 443 (VCD provider and tenant login).
The impacted product is VMware Cloud Director Appliance, specifically version 10.5 that has undergone an upgrade from version 10.4.x or earlier. This vulnerability does not affect new installations of version 10.5 or versions 10.4.x and below.