Skip links

VMware fixes command injection, file upload flaws in Carbon Black security tool

VMware has patched two security flaws, an OS command injection vulnerability and a file upload hole, in its Carbon Black App Control security product running on Windows.

Both bugs are rated 9.1 out of 10 in terms of CVSS severity. They can be exploited to execute arbitrary commands on the Windows host, such as commands to deploy malware, exfiltrate data, or explore the rest of the network.

In both cases, an attacker needs to be logged in as an administrator or highly privileged user, which means exploitation is limited to rogue insiders and hijacked admin accounts. On the other hand, exploitation means a bad situation is about to get a lot worse. Given the rise of insider threats, and compromised administrator access, patching this to limit scope of even trusted accounts isn’t such a bad idea.

VMware’s advisory on the matter does not say whether or not these holes are under active attack. When we asked the virtualization giant for clarity, a spokesperson didn’t give us an answer, instead telling us:

Both vulnerabilities affect VMware’s Carbon Black App Control product. This is an agent-based datacenter security tool that allows system administrators to lock down servers and prevent any unwanted changes to or tampering with critical systems.

One of the security flaws, CVE-2022-22951, is an OS command injection vulnerability. According to VMware, it could allow authenticated attackers with high privileges and network access to the VMware App Control administration interface to remotely execute commands on the server.

The second, CVE-2022-22952, could allow attackers with administrative access to upload a specially crafted file to then execute malicious code on the Windows instance running the App Control server. 

Security consultant Jari Jääskelä found both bugs and reported them to VMware.

The Carbon Black App Control flaws follow earlier security alerts including two critical guest-to-host vulnerabilities in the XHCI and UHCI USB controllers in VMware’s ESXi hypervisor. The XHCI and UHCI USB controller bugs, which VMware patched in February, could allow attackers with administrative privileges in a virtual machine to execute malicious code as the VM’s VMX process on the host. 

And, of course, not even VMware could escape the Log4j vulnerability, which affected virtually every enterprise product on the planet late last year. Some software shops are still struggling to patch it. 

In all, more than 100 VMware products were impacted by the Log4j blunder, which kept VMware busy issuing a slew of patches between December 2021 and February 2022.

Shortly after the vendor disclosed its first Log4J vulns, VMware identified another critical flaw: a server-side forgery request in VMware’s Workspace ONE Unified Endpoint Management (UEM) product. 

This one could allow someone with network access to UEM to send requests without authentication and then “exploit this issue to gain access to sensitive information,” according to VMware’s security advisory. ®