Threat Update
A critical vulnerability was recently discovered in the VMWare Carbon Black Workload appliance that could allow an attacker to take control of a vulnerable system. A successful exploit would give an attacker the ability to obtain a valid authentication token and in turn be granted administrative rights on the affected system. SKOUT recommends applying the update in version 1.0.2 of VMware Carbon Black Cloud Workload appliance, which VMWare released to address this vulnerability.
Technical Detail & Additional Information
WHAT IS THE THREAT?
Should a threat actor obtain access to a VMware Carbon Black Cloud Workload appliance by means of exploiting this vulnerability, it would permit access to a full array of administrative controls, including NTP Server Settings, Network Settings, Proxy Settings, Password Reset, and Appliance Reboot. It bears mentioning that, in addition to this vulnerability which is being tacked as CVE-2021-21982, there are two separate bugs in the vRealize Operations Manager solution that could lead to further attacks if an attacker is able to gain initial administrative access. Those bugs are being tracked as CVE-2021-21975 and CVE-2021-21983.
WHY IS IT NOTEWORTHY?
VMware Carbon Black Cloud Workload is a data center security product that is intended to protect workloads running in virtualized environments. It is a seamless solution that provides the ability to ensure that workloads have the necessary protection to secure a virtualized environment. The product includes endpoint protection capabilities such as antivirus, threat hunting, and EDR. The compromise of this security product would not only leave one’s virtual environment potentially unprotected, but could also lead to unauthorized administrative access, credential stealing, and lateral movement within the infrastructure.
WHAT IS THE EXPOSURE OR RISK?
The chaining together of the CVEs listed above by an attacker would pose a high level of risk to any business or organization that uses the VMware Carbon Black Cloud Workload appliance to manage and protect their virtual computing environment. On their own, these vulnerabilities are less severe, but still require prompt patching to mitigate the potential threat of compromise. For an attacker to be successful at any of the associated threats, the attacker must first be authenticated with administrative access.
WHAT ARE THE RECOMMENDATIONS?
SKOUT recommends that all users of the VMware Carbon Black Cloud Workload appliance apply the available patches to address the vulnerabilities. Doing so will mitigate against the potential threats of remote code execution, obtaining administrative access, and lateral traversal. Please see the links directly below for the Response Matrix and Release Notes on the patched version 1.0.2. Additionally, best practices are recommended in implementing adequate network controls to limit access to the local administrative interface of the appliance.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2021/04/critical-auth-bypass-bug-found-in.html?m=1
- https://threatpost.com/critical-cloud-bug-vmware-carbon-black/165278/
- https://www.securityweek.com/vmware-patches-critical-flaw-carbon-black-cloud-workload
If you have any questions, please contact our Security Operations Center.