VMware has announced it has become aware of a critical vulnerability in its Cloud Director appliance used by organizations to manage cloud services. The flaw, designated CVE-2023-34060, is an authentication bypass vulnerability that can be exploited using an unsophisticated attack and no user interaction, provided the threat actor has network access to the vulnerable appliance.
CVE-2023-34060 only affects Cloud Director appliances running VCD Appliance 10.5 software that was previously upgraded from an older version. Fresh installs of VCD Appliance 10.5 and Linux deployments are not affected. VMware is currently developing a patch to address the issue, however, in the meantime, it is advising users to download and run a script on vulnerable appliances.
Given the vulnerability’s high criticality, it’s likely that threat actors who successfully exploit CVE-2023-34060 can achieve some privileges on the compromised device, which could lead to data exfiltration, the deployment of ransomware or malware, or denial of service conditions. The full impact of this vulnerability was likely deliberately kept ambiguous so as to not provide threat actors with any specific information that could aid in the development of an exploit.
VMware’s large product suite is deployed widely throughout the world (see below) and has a history of being exploited by cybercriminals and nation-state actors alike.
Image 1. Scan results for VMware software. (Source: Shodan.io)
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software such as VMware. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect strongly encourages users of affected VMware products to run the script provided by VMware and deploy the patch when it is available.