VMware fixes command injection, file upload flaws in Carbon Black security tool

Miscreants can exploit these to make a bad situation much worse

VMware has patched two security flaws, an OS command injection vulnerability and a file upload hole, in its Carbon Black App Control security product running on Windows.

Both bugs are rated 9.1 out of 10 in terms of CVSS severity. They can be exploited to execute arbitrary commands on the Windows host, such as commands to deploy malware, exfiltrate data, or explore the rest of the network.

In both cases, an attacker needs to be logged in as an administrator or highly privileged user, which means exploitation is limited to rogue insiders and hijacked admin accounts. On the other hand, exploitation means a bad situation is about to get a lot worse. Given the rise of insider threats, and compromised administrator access, patching this to limit scope of even trusted accounts isn't such a bad idea.

VMware's advisory on the matter does not say whether or not these holes are under active attack. When we asked the virtualization giant for clarity, a spokesperson didn't give us an answer, instead telling us:

The security of our customers is a top priority at VMware, and we encourage customers to apply the patches provided in our security advisory, VMSA-2022-0008. Customers should also join VMware's Security-Announce mailing list to receive the latest VMware security advisories.


Both vulnerabilities affect VMware's Carbon Black App Control product. This is an agent-based datacenter security tool that allows system administrators to lock down servers and prevent any unwanted changes to or tampering with critical systems.

One of the security flaws, CVE-2022-22951, is an OS command injection vulnerability. According to VMware, it could allow authenticated attackers with high privileges and network access to the VMware App Control administration interface to remotely execute commands on the server.

The second, CVE-2022-22952, could allow attackers with administrative access to upload a specially crafted file to then execute malicious code on the Windows instance running the App Control server. 

Security consultant Jari Jääskelä found both bugs and reported them to VMware.

The Carbon Black App Control flaws follow earlier security alerts including two critical guest-to-host vulnerabilities in the XHCI and UHCI USB controllers in VMware's ESXi hypervisor. The XHCI and UHCI USB controller bugs, which VMware patched in February, could allow attackers with administrative privileges in a virtual machine to execute malicious code as the VM's VMX process on the host. 

And, of course, not even VMware could escape the Log4j vulnerability, which affected virtually every enterprise product on the planet late last year. Some software shops are still struggling to patch it. 

In all, more than 100 VMware products were impacted by the Log4j blunder, which kept VMware busy issuing a slew of patches between December 2021 and February 2022.

Shortly after the vendor disclosed its first Log4J vulns, VMware identified another critical flaw: a server-side forgery request in VMware's Workspace ONE Unified Endpoint Management (UEM) product. 

This one could allow someone with network access to UEM to send requests without authentication and then "exploit this issue to gain access to sensitive information," according to VMware's security advisory. ®

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022