Martin Rehula
VMSA
VMware
In this article:

What is VMSA-2023-0026?

VMware states that: On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console). This bypass is not present on port 443 (VCD provider and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present.

Well, not that descriptive, right? VMware KB 95534 sheds some light on CVE-2023-34060. Only VMware Cloud Director appliances that have been upgraded to 10.5.0 from any previous version are affected; newly deployed appliances and Linux-based Cloud Directors are safe.

This is odd, but if you scroll down a bit, you'll find a one-liner to prove if your appliance has the problem. It states:



egrep 'unknown|sufficient|use_first_pass|optional pam_sss' /etc/pam.d/system*

Now things are starting to make a little more sense. To complete the picture, we should also look at CVE-2023-34060. It's crystal clear now.

Whoever prepared the Photon OS update forgot to check the PAM configuration changes made during the update.

How CVE works

CVE-2023-34060:  The sssd package installed during the upgrade added some insecure options to the PAM configuration, which weakened the password and authentication policy used for local, SSH, and :5480 authentication.

How to patch these vulnerabilities

There is no fixed version available at this time. The only option is to manually run the attached script on each affected VMware Cloud Director appliance.

The original VMSA article is available here.


#!/bin/bash
#
# Copyright 2023 VMware, Inc.  All rights reserved.

LOG_DIR="/opt/vmware/var/log/vcd"
BIN_DIR="/opt/vmware/appliance/bin"
PAMD_DIR="/etc/pam.d/"
LOG_FILE="$LOG_DIR/patch-pamd.log"

source $BIN_DIR/common-utils.sh

touch $LOG_FILE

# system-account
log_and_echo "Updating system-account file if needed"
ACCOUNT_CHANGE='account \[default=bad success=ok user_unknown=ignore\] pam_sss.so'
if grep "$ACCOUNT_CHANGE" $PAMD_DIR/system-account; then
    log_and_echo "Removing account line from system-account file"
    sed -i "/$ACCOUNT_CHANGE/d" $PAMD_DIR/system-account
    if [ "$?" -ne 0 ]; then
        log_and_echo_error "Could not remove account pam_sso.so line from pam.d system-account file"
        exit 1
    fi
    log_and_echo "Successfully removed account pam_sss.so line from system-account file"
else
    log_and_echo "No changes were needed to system-account file to remove the account pam_sss.so reference."
fi

PAM_UNIX_SUFFIENT_ACCOUNT='account\s*sufficient\s*pam_unix.so'
if grep -E "$PAM_UNIX_SUFFIENT_ACCOUNT" $PAMD_DIR/system-account; then
    log_and_echo "Removing sufficient qualification from pam_unix.so entry in system-account file"
    sed -i -E '/pam_unix.so$/s/sufficient/required/' $PAMD_DIR/system-account
    if [ "$?" -ne 0 ]; then
        log_and_echo_error "Could not remove sufficient qualification from pam_unix.so entry in system-account file"
        exit 1
    fi
    log_and_echo "Successfully removed sufficient qualification from pam_unix.so entry in system-account file"
else
    log_and_echo "No changes were needed to system-account file to remove sufficient qualification from pam_unix.so entry."
fi

# system-auth
log_and_echo "Updating system-auth file if needed"
USE_FIRST_PASS_CHANGE='auth sufficient pam_sss.so use_first_pass'
if grep "$USE_FIRST_PASS_CHANGE" $PAMD_DIR/system-auth; then
    log_and_echo "Removing account line from system-auth file"
    sed -i "/$USE_FIRST_PASS_CHANGE/d" $PAMD_DIR/system-auth
    if [ "$?" -ne 0 ]; then
        log_and_echo_error "Could not remove use_first_pass line from pam.d system-auth file"
        exit 1
    fi
    log_and_echo "Successfully removed use_first_pass line from system-auth file"
else
    log_and_echo "No changes were needed to system-auth file to remove use_first_pass reference."
fi

PAM_UNIX_SUFFIENT_AUTH='auth\s*sufficient\s*pam_unix.so'
if grep -E "$PAM_UNIX_SUFFIENT_AUTH" $PAMD_DIR/system-auth; then
    log_and_echo "Removing sufficient qualification from pam_unix.so entry in system-auth file"
    sed -i -E '/pam_unix.so$/s/sufficient/required/' $PAMD_DIR/system-auth
    if [ "$?" -ne 0 ]; then
        log_and_echo_error "Could not remove sufficient qualification from pam_unix.so entry in system-auth file"
        exit 1
    fi
    log_and_echo "Successfully removed sufficient qualification from pam_unix.so entry in system-auth file"
else
    log_and_echo "No changes were needed to system-auth file to remove sufficient qualification from pam_unix.so entry"
fi

# system-session
log_and_echo "Updating system-session file if needed"
SESSION_OPTIONAL='session optional pam_sss.so'
if grep "$SESSION_OPTIONAL" $PAMD_DIR/system-session; then
    log_and_echo "Removing optional line from system-session file"
    sed -i "/$SESSION_OPTIONAL/d" $PAMD_DIR/system-session
    if [ "$?" -ne 0 ]; then
        log_and_echo_error "Could not remove optional line from pam.d system-session file"
        exit 1
    fi
    log_and_echo "Successfully removed optional line from system-session file"
else
    log_and_echo "Updates to system-session file were not needed."
fi

exit 0

Meet other Runecasters here: