CVE-2023-34060 - Authentication Bypass in Upgraded VMware Cloud Director Appliance - An In-Depth Exploration

In December 2023, VMware warned users about a critical vulnerability CVE-2023-34060 affecting VMware Cloud Director Appliance under specific upgrade circumstances. If you manage virtual environments, this is an important issue that could put your infrastructure at risk if not addressed properly. This post will break down how the bug works, who is at risk, and what you can do about it, using straightforward language and real code snippets.

What is CVE-2023-34060?

CVE-2023-34060 is an authentication bypass bug that affects VMware Cloud Director Appliance when it has been upgraded to version 10.5 from an older version. If a bad actor gets network access to your appliance, they might be able to log in—without valid credentials—using SSH (port 22) or the appliance management console (port 548).

Important:

You did a fresh install of version 10.5.

- Your Photon OS ships with sssd-2.8.1-11 (or higher, on Photon OS 3) or sssd-2.8.2-9 (or higher, on Photon OS 4 or 5).

Root Cause: SSSD in Photon OS

The system security services daemon (SSSD) in certain versions of Photon OS (which underlies VMware Cloud Director) has a flaw where, after an *upgrade* (but not a fresh install), residual configuration issues allow attackers to bypass authentication.

Affected if using sssd earlier than 2.8.1-11

- Photon OS 4/5:

Exploits the authentication bypass to log in as a privileged user.

Note: Exact exploit details have not been widely published, but the bypass appears to disable PAM authentication checks in certain configurations.

Example: Authentication Bypass Test

# Hypothetical: Try SSH with a blank password
ssh root@victim-appliance
# If prompted for password, just press Enter
# If the bug exists, you might get a shell without a valid password

*Note: This code is only to demonstrate the nature of the exploit. Never attack systems you do not own or have explicit permission to test.*

1. Check SSSD version

rpm -qa | grep sssd

Photon OS 3: sssd-2.8.1-11

- Photon OS 4/5: sssd-2.8.2-9

2. Check the Upgrade Path

If you upgraded to 10.5 (and didn’t freshly install), consider yourself at risk even if your sssd package is newer, unless you redeployed from scratch.

How to Update SSSD

tdnf update sssd
systemctl restart sssd

Block Untrusted Access (Temporary)

# Block port 22 and 548 using firewall
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p tcp --dport 548 -j DROP

References and Further Reading

- VMware Security Advisory VMSA-2023-0028.1
- Photon OS Security Updates
- SSSD Upstream Releases
- NIST NVD Entry for CVE-2023-34060

Conclusion

CVE-2023-34060 is a serious bug that only impacts upgraded VMware Cloud Director Appliances (not new installs), letting attackers potentially bypass authentication on sensitive admin ports. Check your environment right away, patch your systems, and block any risky management ports from untrusted sources.

If you’re unsure, it’s a good time to review your upgrade and patching practices to prevent similar issues in the future.

Timeline

Published on: 11/14/2023 21:15:09 UTC
Last modified on: 11/21/2023 19:59:44 UTC