Security News > 2023 > November > VMWare discloses critical VCD Appliance auth bypass with no patch

VMware disclosed a critical and unpatched authentication bypass vulnerability affecting Cloud Director appliance deployments.

The auth bypass security flaw only affects appliances running VCD Appliance 10.5 that were previously upgraded from an older release.

"On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 or port 5480," VMware explains.

"This bypass is not present on port 443. On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present."

While VMware doesn't have a patch for this critical authentication bypass, the company provided admins with a temporary workaround until security updates are released.

The workaround shared by VMware will only work for affected versions of VCD Appliance 10.5.0, and it requires downloading a custom script attached to this knowledgebase article and running it on cells exposed to the CVE-2023-34060 vulnerability.

News URL

https://www.bleepingcomputer.com/news/security/vmware-discloses-critical-vcd-appliance-auth-bypass-with-no-patch/