Critical VMware Carbon Black Bug Allows Auth Bypass


VMware has fixed an uber-severe bug in its Carbon Black App Control (AppC) management server: A server whose job is to lock down critical systems and servers so they don’t get changed willy-nilly. AppC also ensures that organizations stay in continuous compliance with regulatory mandates. This is a bad one: VMware puts the flaw, [CVE-2021-21998](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21998>), in the critical severity range with a maximum CVSSv3 base score of 9.4 out of 10. The bug is an authentication bypass that could enable an attacker with network access to the server to get administrative privileges without needing to authenticate. According to VMware’s [advisory](<https://www.vmware.com/security/advisories/VMSA-2021-0012.html>), the authentication-bypass bug affects AppC versions 8.0, 8.1, 8.5 before 8.5.8, and 8.6 before 8.6.2. [![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) As pointed out by [Heimdal Security](<https://heimdalsecurity.com/blog/vmware-fixes-severe-carbon-black-app-control-authentication-bypass-vulnerability/>), depending on the environment, threat actors could exploit the vulnerability “to maximum advantage to attack anything from point-of-sale [systems] (PoS) to industrial-control systems.” To avoid that, organizations must patch, as there are no workarounds available. Below are the patches, listed in the Fixed Version column of the VMware’s Response Matrix: Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Version Workarounds | Additional Documentation ---|---|---|---|---|---|---|---|--- AppC | 8.6.x | Windows | CVE-2021-21998 | 9.4 | critical | 8.6.2 | None | None AppC | 8.5.x | Windows | CVE-2021-21998 | 9.4 | critical | 8.5.8 | None | None AppC | 8.1.x, 8.0.x | Windows | CVE-2021-21998 | 9.4 | critical | Hotfix | None | None Credit for discovering and reporting CVE-2021-21999 goes to [Zeeshan Shaikh](<https://twitter.com/bugzzzhunter>) from NotSoSecure, who worked with Trend Micro Zero Day Initiative (ZDI) and [Hou JingYi](<https://twitter.com/hjy79425575>) of Qihoo 360. ## Plus This: High-Risk Bug in Other VMware Products Besides the authentication-bypass fix, VMware also published a security advisory for a high-risk bug in VMware Tools, VMware Remote Console for Windows (VMRC), and VMware App Volumes products. At this point, the bug doesn’t have a severity score from the National Institute of Standards and Technology (NIST), but VMware evaluated it at 7.8 (high severity). The flaw, [CVE-2021-21999](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21999>), is a local privilege-escalation vulnerability. VMware’s [advisory](<https://www.vmware.com/security/advisories/VMSA-2021-0013.html>) lists the affected products as VMware Tools for Windows (11.x.y prior to 11.2.6), VMware Remote Console for Windows (12.x prior to 12.0.1) , and VMware App Volumes (2.x prior to 2.18.10 and 4 prior to 2103). Once again, there’s no workaround for this one. Admins should patch it as soon as possible, given what VMware said can be done with it: > An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as `openssl.cnf’ in an unrestricted directory which would allow code to be executed with elevated privileges. ## History of Critical Holes The security hole in AppC is only the latest critical problem that VMware has addressed. In February, for one, VMware [patched three vulnerabilities](<https://threatpost.com/vmware-patches-critical-rce-flaw-in-vcenter-server/164240/>) in its virtual-machine infrastructure for data centers, including a remote code-execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system, to find other vulnerable points of network entry to take over affected systems. More recently, in April, another [critical cloud bug](<https://threatpost.com/critical-cloud-bug-vmware-carbon-black/165278/>), again in VMWare Carbon Black, would have allowed takeover. The bug (CVE-2021-21982) ranked 9.1 out of 10 on the CVSS vulnerability-severity scale. It would enable privilege escalation and the ability to take over the administrative rights for the VMware Carbon Black Cloud Workload appliance. **Join Threatpost for “**[**Tips and Tactics for Better Threat Hunting**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)**” — a LIVE event on **[**Wed., June 30 at 2:00 PM ET**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. **[**Register HERE**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** for free. **