VMware is warning of a essential and unpatched security flaw in Cloud Director that might be exploited by a malicious actor to get round authentication protections.
Tracked as CVE-2023-34060 (CVSS rating: 9.8), the vulnerability impacts situations which have been upgraded to model 10.5 from an older model.
“On an upgraded model of VMware Cloud Director Equipment 10.5, a malicious actor with community entry to the equipment can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (equipment administration console),” the corporate stated in an alert.
“This bypass shouldn’t be current on port 443 (VCD supplier and tenant login). On a brand new set up of VMware Cloud Director Equipment 10.5, the bypass shouldn’t be current.”
The virtualization providers firm additional famous that the impression is because of the truth that it makes use of a model of sssd from the underlying Photon OS that’s affected by CVE-2023-34060.
Dustin Hartle from IT options supplier Superb Integrations has been credited with discovering and reporting the shortcomings.
Whereas VMware has but to launch a repair for the issue, it has offered a workaround within the type of a shell script (“WA_CVE-2023-34060.sh”).
It additionally emphasised implementing the non permanent mitigation will neither require downtime nor have a side-effect on the performance of Cloud Director installations.
The event comes weeks after VMware launched patches for an additional essential flaw within the vCenter Server (CVE-2023-34048, CVSS rating: 9.8) that might lead to distant code execution on affected methods.
