Critical Bug in VMWare Carbon Black Allows Takeover | Threatpost

A critical security vulnerability in the VMware Carbon Black Cloud Workload appliance would allow privilege escalation and the ability to take over the administrative rights for the solution.

The bug (CVE-2021-21982) ranks 9.1 out of 10 on the CVSS vulnerability-severity scale.

The VMware Carbon Black Cloud Workload platform is designed to provide cybersecurity defense for virtual servers and workloads that are hosted on the VMware’s vSphere platform. vSphere is VMware’s cloud-computing virtualization platform.

The issue in the appliance stems from incorrect URL handling, according to VMware’s advisory issued last week.

“A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,” the company noted. “An adversary who has already gained network access to the administrative interface of the appliance may be able to obtain a valid authentication token.”

That in turn would allow the attacker to access the administration API of the appliance. Once signed in as an admin, the attacker could then view and alter administrative configuration settings. Depending on what tools an organization has deployed within the environment, an adversary could carry out a range of attacks, including code execution, disabling security monitoring, enumerating virtual instances within a private cloud and more.

“A remote attacker could exploit this vulnerability to take control of an affected system,” said the Cybersecurity and Infrastructure Agency (CISA) in a concurrent alert on the bug.

Companies are urged to update to the latest version, version 1.0.2, of the VMware Carbon Black Cloud Workload appliance, which contains a fix.

Users should also limit access to the local administrative interface of the appliance to only those that need it, VMware recommended.

Egor Dimitrenko of Positive Technologies was credited with discovering the vulnerability.

The security hole is only the latest critical problem that VMware has addressed. In February for instance, VMware patched three vulnerabilities in its virtual-machine infrastructure for data centers, including a remote code execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system, to find other vulnerable points of network entry to take over affected systems.

Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.