Critical Auth Bypass Bug Affects VMware Carbon Black App Control

Cyber Security

VMware has rolled out security updates to resolve a critical flaw affecting Carbon Black App Control that could be exploited to bypass authentication and take control of vulnerable systems.

The vulnerability, identified as CVE-2021-21998, is rated 9.4 out of 10 in severity by the industry-standard Common Vulnerability Scoring System (CVSS) and affects App Control (AppC) versions 8.0.x, 8.1.x, 8.5.x, and 8.6.x.

Carbon Black App Control is a security solution designed to lock down critical systems and servers to prevent unauthorized changes in the face of cyber-attacks and ensure compliance with regulatory mandates such as PCI-DSS, HIPAA, GDPR, SOX, FISMA, and NERC.

Stack Overflow Teams

“A malicious actor with network access to the VMware Carbon Black App Control management server might be able to obtain administrative access to the product without the need to authenticate,” the California-based cloud computing and virtualization technology company said in an advisory.

CVE-2021-21998 is the second time VMware is addressing an authentication bypass issue in its Carbon Black endpoint security software. Earlier this April, the company fixed an incorrect URL handling vulnerability in the Carbon Black Cloud Workload appliance (CVE-2021-21982) that could be exploited to gain access to the administration API.

That’s not all. VMware also patched a local privilege escalation bug affecting VMware Tools for Windows, VMware Remote Console for Windows (VMRC for Windows), and VMware App Volumes (CVE-2021-21999, CVSS score: 7.8) that could allow a bad actor to execute arbitrary code on affected systems.

Enterprise Password Management

“An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as ‘openssl.cnf’ in an unrestricted directory which would allow code to be executed with elevated privileges,” VMware noted.

VMware credited Zeeshan Shaikh (@bugzzzhunter) from NotSoSecure and Hou JingYi (@hjy79425575) of Qihoo 360 for reporting the flaw.

Products You May Like

Articles You May Like

Twitter Celebrity Hack: UK Citizen Arrested in Spain for Role in 2020 Scam Attack
Orum raises $25M to automate outbound sales workflows
Redmi K40 Gaming Edition Teased in New Inverse Scale Colour Option, Spotted on
YouTube Removes Bengal BJP Chief Dilip Ghosh’s Videos on Post-Poll Violence
YouTube, Along With Facebook, Said to Be on White House Radar for Spreading COVID-19 Vaccine Misinformation

Leave a Reply

Your email address will not be published. Required fields are marked *