VMware Patches Authentication Bypass in Carbon Black App Control


VMware, the California-based cloud computing and virtualization technology firm has patched an authentication bypass vulnerability in its Carbon Black App Control (AppC) management server. According to VMware’s advisory, the authentication-bypass vulnerability affected AppC versions 8.0.x, 8.1.x, 8.5.x, and 8.6.x. 

The flaw tracked as CVE-2021-21998, falls into a highly critical range with a maximum CVSSv3 base score of 9.4 out of 10.A malicious actor with network access to the VMware Carbon Black App Control management server might be able to gain administrative privileges to the application without the need to authenticate, VMware explained. 

However, even if the attacker doesn’t need valid credentials for the target application, they would still have to first gain network access to the VMware Carbon Black App Control management server for the attack to succeed, VMware explains in an advisory.

AppC is designed to strengthen the security of servers and to prevent unauthorized changes in the face of cyber-attacks and ensure compliance with regulatory mandates such as PCI-DSS, HIPAA, GDPR, SOX, FISMA, and NERC. 

Besides the authentication-bypass patch, VMware also patched a local privilege escalation flaw affecting VMware Tools for Windows, VMware Remote Console for Windows (VMRC for Windows), and VMware App Volumes that could allow an attacker to implement arbitrary code on compromised systems. 

At this point, the flaw doesn’t have a severity score from the National Institute of Standards and Technology (NIST), but VMware evaluated it at 7.8 (high severity). The flaw, CVE-2021-21999, is a local privilege-escalation vulnerability.

"An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as 'openssl.cnf' in an unrestricted directory which would allow code to be executed with elevated privileges," VMware noted. 

The flaw in AppC is only the latest severe problem that VMware has patched. In February, for one, VMware fixed three bugs in its virtual-machine infrastructure for data centers, including a remote code execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system, to discover other vulnerable points of network entry to take over affected systems.