What is VMSA-2023-0026?
VMware states that: On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console). This bypass is not present on port 443 (VCD provider and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present.
Well, not that descriptive, right? VMware KB 95534 sheds some light on CVE-2023-34060. Only VMware Cloud Director appliances that have been upgraded to 10.5.0 from any previous version are affected; newly deployed appliances and Linux-based Cloud Directors are safe.
This is odd, but if you scroll down a bit, you'll find a one-liner to prove if your appliance has the problem. It states:
egrep 'unknown|sufficient|use_first_pass|optional pam_sss' /etc/pam.d/system*
Now things are starting to make a little more sense. To complete the picture, we should also look at CVE-2023-34060. It's crystal clear now.
Whoever prepared the Photon OS update forgot to check the PAM configuration changes made during the update.
How CVE works
CVE-2023-34060: The sssd package installed during the upgrade added some insecure options to the PAM configuration, which weakened the password and authentication policy used for local, SSH, and :5480 authentication.
How to patch these vulnerabilities
There is no fixed version available at this time. The only option is to manually run the attached script on each affected VMware Cloud Director appliance.
The original VMSA article is available here.
#!/bin/bash
#
# Copyright 2023 VMware, Inc. All rights reserved.
LOG_DIR="/opt/vmware/var/log/vcd"
BIN_DIR="/opt/vmware/appliance/bin"
PAMD_DIR="/etc/pam.d/"
LOG_FILE="$LOG_DIR/patch-pamd.log"
source $BIN_DIR/common-utils.sh
touch $LOG_FILE
# system-account
log_and_echo "Updating system-account file if needed"
ACCOUNT_CHANGE='account \[default=bad success=ok user_unknown=ignore\] pam_sss.so'
if grep "$ACCOUNT_CHANGE" $PAMD_DIR/system-account; then
log_and_echo "Removing account line from system-account file"
sed -i "/$ACCOUNT_CHANGE/d" $PAMD_DIR/system-account
if [ "$?" -ne 0 ]; then
log_and_echo_error "Could not remove account pam_sso.so line from pam.d system-account file"
exit 1
fi
log_and_echo "Successfully removed account pam_sss.so line from system-account file"
else
log_and_echo "No changes were needed to system-account file to remove the account pam_sss.so reference."
fi
PAM_UNIX_SUFFIENT_ACCOUNT='account\s*sufficient\s*pam_unix.so'
if grep -E "$PAM_UNIX_SUFFIENT_ACCOUNT" $PAMD_DIR/system-account; then
log_and_echo "Removing sufficient qualification from pam_unix.so entry in system-account file"
sed -i -E '/pam_unix.so$/s/sufficient/required/' $PAMD_DIR/system-account
if [ "$?" -ne 0 ]; then
log_and_echo_error "Could not remove sufficient qualification from pam_unix.so entry in system-account file"
exit 1
fi
log_and_echo "Successfully removed sufficient qualification from pam_unix.so entry in system-account file"
else
log_and_echo "No changes were needed to system-account file to remove sufficient qualification from pam_unix.so entry."
fi
# system-auth
log_and_echo "Updating system-auth file if needed"
USE_FIRST_PASS_CHANGE='auth sufficient pam_sss.so use_first_pass'
if grep "$USE_FIRST_PASS_CHANGE" $PAMD_DIR/system-auth; then
log_and_echo "Removing account line from system-auth file"
sed -i "/$USE_FIRST_PASS_CHANGE/d" $PAMD_DIR/system-auth
if [ "$?" -ne 0 ]; then
log_and_echo_error "Could not remove use_first_pass line from pam.d system-auth file"
exit 1
fi
log_and_echo "Successfully removed use_first_pass line from system-auth file"
else
log_and_echo "No changes were needed to system-auth file to remove use_first_pass reference."
fi
PAM_UNIX_SUFFIENT_AUTH='auth\s*sufficient\s*pam_unix.so'
if grep -E "$PAM_UNIX_SUFFIENT_AUTH" $PAMD_DIR/system-auth; then
log_and_echo "Removing sufficient qualification from pam_unix.so entry in system-auth file"
sed -i -E '/pam_unix.so$/s/sufficient/required/' $PAMD_DIR/system-auth
if [ "$?" -ne 0 ]; then
log_and_echo_error "Could not remove sufficient qualification from pam_unix.so entry in system-auth file"
exit 1
fi
log_and_echo "Successfully removed sufficient qualification from pam_unix.so entry in system-auth file"
else
log_and_echo "No changes were needed to system-auth file to remove sufficient qualification from pam_unix.so entry"
fi
# system-session
log_and_echo "Updating system-session file if needed"
SESSION_OPTIONAL='session optional pam_sss.so'
if grep "$SESSION_OPTIONAL" $PAMD_DIR/system-session; then
log_and_echo "Removing optional line from system-session file"
sed -i "/$SESSION_OPTIONAL/d" $PAMD_DIR/system-session
if [ "$?" -ne 0 ]; then
log_and_echo_error "Could not remove optional line from pam.d system-session file"
exit 1
fi
log_and_echo "Successfully removed optional line from system-session file"
else
log_and_echo "Updates to system-session file were not needed."
fi
exit 0
Click to view larger image ↑
Click to view larger image ↑
Click to view larger image ↑
Click to view larger image ↑
Click to view larger image ↑