This article is more than 1 year old
VMware fixes command injection, file upload flaws in Carbon Black security tool
Miscreants can exploit these to make a bad situation much worse
VMware has patched two security flaws, an OS command injection vulnerability and a file upload hole, in its Carbon Black App Control security product running on Windows.
Both bugs are rated 9.1 out of 10 in terms of CVSS severity. They can be exploited to execute arbitrary commands on the Windows host, such as commands to deploy malware, exfiltrate data, or explore the rest of the network.
In both cases, an attacker needs to be logged in as an administrator or highly privileged user, which means exploitation is limited to rogue insiders and hijacked admin accounts. On the other hand, exploitation means a bad situation is about to get a lot worse. Given the rise of insider threats, and compromised administrator access, patching this to limit scope of even trusted accounts isn't such a bad idea.
VMware's advisory on the matter does not say whether or not these holes are under active attack. When we asked the virtualization giant for clarity, a spokesperson didn't give us an answer, instead telling us:
The security of our customers is a top priority at VMware, and we encourage customers to apply the patches provided in our security advisory, VMSA-2022-0008. Customers should also join VMware's Security-Announce mailing list to receive the latest VMware security advisories.
Both vulnerabilities affect VMware's Carbon Black App Control product. This is an agent-based datacenter security tool that allows system administrators to lock down servers and prevent any unwanted changes to or tampering with critical systems.
One of the security flaws, CVE-2022-22951, is an OS command injection vulnerability. According to VMware, it could allow authenticated attackers with high privileges and network access to the VMware App Control administration interface to remotely execute commands on the server.
The second, CVE-2022-22952, could allow attackers with administrative access to upload a specially crafted file to then execute malicious code on the Windows instance running the App Control server.
Security consultant Jari Jääskelä found both bugs and reported them to VMware.
- VMware fixes vSphere release it pulled, sorts out Log4j while it's at it
- Over Log4j? VMware has another critical flaw for you to patch
- Microsoft Azure DevOps revives TLS 1.0/1.1 with rollback
- Microsoft patches critical remote-code-exec hole in Exchange Server and others
The Carbon Black App Control flaws follow earlier security alerts including two critical guest-to-host vulnerabilities in the XHCI and UHCI USB controllers in VMware's ESXi hypervisor. The XHCI and UHCI USB controller bugs, which VMware patched in February, could allow attackers with administrative privileges in a virtual machine to execute malicious code as the VM's VMX process on the host.
And, of course, not even VMware could escape the Log4j vulnerability, which affected virtually every enterprise product on the planet late last year. Some software shops are still struggling to patch it.
Shortly after the vendor disclosed its first Log4J vulns, VMware identified another critical flaw: a server-side forgery request in VMware's Workspace ONE Unified Endpoint Management (UEM) product.
This one could allow someone with network access to UEM to send requests without authentication and then "exploit this issue to gain access to sensitive information," according to VMware's security advisory. ®