VMware Cloud Director 10.5.1 addresses an authentication bypass vulnerability.
The Common Vulnerabilities and Exposures project (https://cve.mitre.org) has assigned the identifier CVE-2023-34060 to this issue.
VMware released VMware Security Advisory VMSA-2023-0026 to help customers understand the issue and which upgrade path will fix it.
This article lists the recommended solution, upgrading to a patched release, but also provides a workaround for customers who can't upgrade.
Affected VMware Cloud Director Version | Fixed Version | Release Date |
10.5.0 | 10.5.1 | November 30th 2023 |
Updating system-account file if needed
account [default=bad success=ok user_unknown=ignore] pam_sss.so
Removing account line from system-account file
Successfully removed account pam_sss.so line from system-account file
account sufficient pam_unix.so
Removing sufficient qualification from pam_unix.so entry in system-account file
Successfully removed sufficient qualification from pam_unix.so entry in system-account file
Updating system-auth file if needed
auth sufficient pam_sss.so use_first_pass
Removing account line from system-auth file
Successfully removed use_first_pass line from system-auth file
auth sufficient pam_unix.so
Removing sufficient qualification from pam_unix.so entry in system-auth file
Successfully removed sufficient qualification from pam_unix.so entry in system-auth file
Updating system-session file if needed
session optional pam_sss.so
Removing optional line from system-session file
Successfully removed optional line from system-session file
Updating system-account file if needed
No changes were needed to system-account file to remove the account pam_sss.so reference.
No changes were needed to system-account file to remove sufficient qualification from pam_unix.so entry.
Updating system-auth file if needed
No changes were needed to system-auth file to remove use_first_pass reference.
No changes were needed to system-auth file to remove sufficient qualification from pam_unix.so entry
Updating system-session file if needed
Updates to system-session file were not needed.
File | File Contents |
Affected /etc/pam.d/system-account | # Begin /etc/pam.d/system-account account required pam_tally2.so file=/var/log/tallylog account sufficient pam_unix.so account [default=bad success=ok user_unknown=ignore] pam_sss.so # End /etc/pam.d/system-account |
Unaffected /etc/pam.d/system-account | # Begin /etc/pam.d/system-account account required pam_tally2.so file=/var/log/tallylog account required pam_unix.so # End /etc/pam.d/system-account |
Affected /etc/pam.d/system-auth | # Begin /etc/pam.d/system-auth auth required pam_env.so auth required pam_tally2.so onerr=fail deny=3 unlock_time=900 root_unlock_time=900 file=/var/log/tallylog auth sufficient pam_unix.so auth sufficient pam_sss.so use_first_pass auth optional pam_faildelay.so delay=4000000 # End /etc/pam.d/system-auth |
Unaffected /etc/pam.d/system-auth | # Begin /etc/pam.d/system-auth auth required pam_env.so auth required pam_tally2.so onerr=fail deny=3 unlock_time=900 root_unlock_time=900 file=/var/log/tallylog auth required pam_unix.so auth optional pam_faildelay.so delay=4000000 # End /etc/pam.d/system-auth |
Affected /etc/pam.d/system-session | # Begin /etc/pam.d/system-session session required pam_unix.so session optional pam_sss.so session required pam_limits.so session optional pam_motd.so session optional pam_lastlog.so silent session optional pam_systemd.so # End /etc/pam.d/system-session |
Unaffected /etc/pam.d/system-session | # Begin /etc/pam.d/system-session session required pam_unix.so session required pam_limits.so session optional pam_motd.so session optional pam_lastlog.so silent session optional pam_systemd.so # End /etc/pam.d/system-session |