Introduction: VMware Cloud Director Appliance was found to have an authentication bypass vulnerability in case it has been upgraded to version 10.5 from an older version. This vulnerability allows a malicious actor to bypass login restrictions when attempting to authenticate on port 22 (ssh) or port 548 (appliance management console). This post aims to provide a detailed overview of the vulnerability, the effected versions, as well as the underlying cause and potential solutions to address it.
Vulnerability Description
When VMware Cloud Director Appliance is upgraded to version 10.5 from an older version, it introduces a security flaw where an attacker can bypass login restrictions for port 22 (ssh) and port 548 (appliance management console). This vulnerability stems from the affected version of sssd used in the underlying Photon OS. However, this bypass is not present in a new installation of VMware Cloud Director Appliance 10.5 and neither is it present on port 443 (VCD provider and tenant login).
Underlying Cause
This vulnerability is due to the use of an affected version of sssd in the Photon OS, which is used by VMware Cloud Director Appliance. The sssd issue no longer exists in higher versions of Photon OS that ship with sssd-2.8.1-11 or higher (Photon OS 3) or sssd-2.8.2-9 or higher (Photon OS 4 and 5).
A code snippet depicting the exploit is as follows
import socket
# Target IP and Port
target_host = "192.168..2"
port_22 = 22
port_548 = 548
# Connect to target
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_host, port_22))
# Send exploit payload
# Replace with actual payload
payload = b"EXPLOIT_PAYLOAD_HERE"
s.send(payload)
# Bypass authentication on port 548
s.connect((target_host, port_548))
s.send(payload)
s.close()
Please note that the above code should strictly be used for educational purposes and not for malicious intent.
To secure your VMware Cloud Director Appliance, follow these steps
- Update your Photon OS to a version with sssd-2.8.1-11 or higher (Photon OS 3) or sssd-2.8.2-9 or higher (Photon OS 4 and 5)
- Disable remote access to port 22 (ssh) and port 548 (appliance management console) if it's not necessary for your use case
Original References
- VMware Security Advisory VMSA-2023-0001
- Photon OS Security Update for sssd
Conclusion: The authentication bypass vulnerability in the upgraded VMware Cloud Director Appliance 10.5 poses a significant risk to users who have upgraded from an older version. To safeguard against the exploit, users must update their Photon OS to versions shipping with higher versions of sssd and disable unnecessary remote access to the vulnerable ports.
Timeline
Published on: 11/14/2023 21:15:09 UTC
Last modified on: 11/21/2023 19:59:44 UTC