3\. Advisory Details
A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.
{"cve": [{"lastseen": "2023-02-09T14:07:44", "description": "VMware Carbon Black Cloud Workload appliance 1.0.0 and 1.01 has an authentication bypass vulnerability that may allow a malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance to obtain a valid authentication token. Successful exploitation of this issue would result in the attacker being able to view and alter administrative configuration settings.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-04-01T19:15:00", "type": "cve", "title": "CVE-2021-21982", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21982"], "modified": "2021-04-06T16:29:00", "cpe": ["cpe:/a:vmware:carbon_black_cloud_workload:1.0.1"], "id": "CVE-2021-21982", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21982", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:vmware:carbon_black_cloud_workload:1.0.1:*:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2021-04-07T21:03:22", "description": "A critical security vulnerability in the VMware Carbon Black Cloud Workload appliance would allow privilege escalation and the ability to take over the administrative rights for the solution.\n\nThe bug (CVE-2021-21982) ranks 9.1 out of 10 on the CVSS vulnerability-severity scale.\n\nThe VMware Carbon Black Cloud Workload platform is designed to provide cybersecurity defense for virtual servers and workloads that are hosted on the VMware\u2019s vSphere platform. vSphere is VMware\u2019s cloud-computing virtualization platform.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe issue in the appliance stems from incorrect URL handling, according to VMware\u2019s advisory issued last week.\n\n\u201cA URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,\u201d the company noted. \u201cAn adversary who has already gained network access to the administrative interface of the appliance may be able to obtain a valid authentication token.\u201d\n\nThat in turn would allow the attacker to access the administration API of the appliance. Once signed in as an admin, the attacker could then view and alter administrative [configuration settings](<https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/carbonblack_workload/GUID-E2ED3713-315B-4EEE-A3E8-A7A09A011101.html>). Depending on what tools an organization has deployed within the environment, an adversary could carry out a range of attacks, including code execution, disabling security monitoring, enumerating virtual instances within a private cloud and more.\n\n\u201cA remote attacker could exploit this vulnerability to take control of an affected system,\u201d said the Cybersecurity and Infrastructure Agency (CISA) in a [concurrent alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/vmware-releases-security-update>) on the bug.\n\nCompanies are urged to update to the latest version, [version 1.0.2](<https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/rn/cbc-workload-102-release-notes.html>), of the VMware Carbon Black Cloud Workload appliance, which contains a fix.\n\nUsers should also limit access to the local administrative interface of the appliance to only those that need it, VMware recommended.\n\nEgor Dimitrenko of Positive Technologies was credited with discovering the vulnerability.\n\nThe security hole is only the latest critical problem that VMware has addressed. In February for instance, VMware [patched three vulnerabilities](<https://threatpost.com/vmware-patches-critical-rce-flaw-in-vcenter-server/164240/>) in its virtual-machine infrastructure for data centers, including a remote code execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system, to find other vulnerable points of network entry to take over affected systems.\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n\n**_ _**\n", "cvss3": {}, "published": "2021-04-06T20:55:47", "type": "threatpost", "title": "Critical Bug in VMWare Carbon Black Allows Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21982"], "modified": "2021-04-06T20:55:47", "id": "THREATPOST:98B57FBF6D83FA4D12BEE06C0281FF91", "href": "https://threatpost.com/critical-cloud-bug-vmware-carbon-black/165278/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-04-07T16:47:09", "description": "Smart cybercriminals are going after web servers and browsers, more so than after individuals. Unfortunately, these types of attacks often go ignored, as they\u2019re harder to test for (in terms of pen-testing).\n\nWith much of the world now working remotely, this threat has intensified. Attackers use email, instant messages, SMS messages and links on social networking to trick at-home workers into installing malware that leads to identity theft, loss of property and, possibly, entry into the corporate network. Phishing attacks may lead users to fake sites or landing pages, with the same intent.\n\nWhat are the latest risks organizations are facing, and what can be done now to defend against them?\n\n## **Web-Based Phishing On the Rise**\n\nThe cybersecurity industry is seeing a significant spike in web-based phishing, starting with the HTML/phishing cyber-threat family. Similar HTML cousins \u2013 /ScrInject (browser script injection attacks) and /REDIR (browser redirection schemes) \u2013 have also contributed to the increase in phishing attempts in 2020. Web-based malware tends to override or bypass most common antivirus (AV) programs, giving it a greater chance of survival and successful infection.\n\nThis reveals a strong interest from cybercriminals in attacking users where they are often most vulnerable and gullible: browsing the web. The combination of remote work and online shopping expand this threat significantly. Black Friday shoppers last year spent a record-shattering [$9 billion](<https://abcnews.go.com/Business/black-friday-hits-record-report/story?id=74435965>), for instance. With the COVID-19 risk of in-person shopping, 2020\u2019s Cyber Monday was reportedly the largest online sales day ever. Web-based malware can obscure and/or bypass traditional AV products, upping the chance of successful infection.\n\n## **Browsers: A Key Delivery Vector for Malware **\n\nBrowsers are not easy to secure, and web applications can be challenging to monitor. These are some of the reasons why the browser has become a key delivery vector for malware over the last year, and this trend will likely continue for the next year. This corresponds to the documented drop in corporate web traffic, which was generally inspected and sanitized, and the rise in home-based web traffic due to the shift to remote work.\n\nThis shift reinforces the point that cybercriminals have intentionally changed their attack methodologies to target the traffic that is now flooding lesser-secured networks. Malware trends reflect attackers\u2019 intentions and capabilities. Similar to intrusion-prevention system (IPS) detections, malware picked up by security sensors does not always indicate confirmed infections, but rather the weaponization and/or distribution of malicious code. Detections can occur at the network, application and host level on many different devices.\n\n## **What Cybersecurity Actions Should I Take Now?**\n\nThere are three things that organizations need to consider when it comes to their cybersecurity strategy:\n\n 1. **Cyber-hygiene is key:** Organizations must provide remote workers with the knowledge and training necessary to secure their own personal networks and the connected business network. This involves training but also guidance on software updates.\n 2. **Organizations can\u2019t rely on employees\u2019 personal security:** They must also provide additional resources, such as endpoint detection-and-response (EDR) solutions that can detect and stop advanced threats. Organizations need advanced, real-time threat protection for endpoints both pre- and post-infection.\n 3. **Effective cybersecurity necessitates continuous vigilance and adaptability to changing threat strategies:** Though security should have been a top priority all along, now may be the time to consider investing in broader, more advanced, adaptable, and integrated solutions \u2013 particularly as cybercriminals modify their attack methods to use personal devices as a springboard to enterprise networks. With this in mind, fortifying remote systems and networks should top the security to-do list.\n\n## **Staying Well-Equipped**\n\nThe threat landscape shifts constantly, requiring security pros to keep on top of new threat types and vectors. Savvy defenders should note that the browser was a prime delivery vector for malware in 2020 \u2013 and is likely to be again this year \u2013 and act accordingly to ensure consistent controls for remote systems. Regardless of the state of the world around us, the best way to protect against ever-evolving malicious activity is to take a comprehensive, integrated approach to cybersecurity.\n\nVital components of this approach include continuous access to up-to-date threat intelligence and cybersecurity training for all employees, particularly those who work remotely. It\u2019s also essential to use updated security technology, such as EDR, which detects and halts advanced threats in real time. All the intelligence in the world won\u2019t do an organization any good if its security tools aren\u2019t capable of using it to find and mitigate attacks. Make sure all of these tactics are part of your comprehensive security strategy.\n\n**_Aamir Lakhani is a cybersecurity researcher and practitioner for Fortinet\u2019s FortiGuard Labs. _**\n\n_**Enjoy additional insights from Threatpost\u2019s InfoSec Insider community by **_[**_visiting our microsite_**](<https://threatpost.com/microsite/infosec-insiders-community/>)_**.**_\n", "cvss3": {}, "published": "2021-04-05T17:28:13", "type": "threatpost", "title": "How To Defend the Extended Network Against Web Risks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21982"], "modified": "2021-04-05T17:28:13", "id": "THREATPOST:6C1025257B798335D913F95B63229B76", "href": "https://threatpost.com/how-to-defend-the-extended-network-against-web-risks/165236/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-04-07T16:39:22", "description": "A zero-click security vulnerability in Apple\u2019s macOS Mail would allow a cyberattacker to add or modify any arbitrary file inside Mail\u2019s sandbox environment, leading to a range of attack types.\n\nAccording to Mikko Kentt\u00e4l\u00e4, founder and CEO of SensorFu, exploitation of the bug could lead to unauthorized disclosure of sensitive information to a third party; the ability to modify a victim\u2019s Mail configuration, including mail redirects which enables takeover of victim\u2019s other accounts via password resets; and the ability to change the victim\u2019s configuration so that the attack can propagate to correspondents in a worm-like fashion.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThough the researcher is just now making the bug\u2019s [details available](<https://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c>), it was patched in macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5, so users should update accordingly.\n\n## **Unauthorized Write Access**\n\nKentt\u00e4l\u00e4 said he discovered the bug ([CVE-2020-9922](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9922>)) by sending test messages and following Mail process syscalls.\n\nHe found that \u201cmail has a feature which enables it to automatically uncompress attachments which have been automatically compressed by another Mail user,\u201d he explained. \u201cIn the valid use case, if the user creates email and adds the folder as an attachment it will be automatically compressed with ZIP and x-mac-auto-archive=yes; is added to the MIME headers. When another Mail user receives this email, compressed attachment data is automatically uncompressed.\u201d\n\nHowever, the researcher discovered that parts of the uncompressed data are not removed from the temporary directory \u2013 and that the directory serves multiple functions, allowing attackers to pivot within the environment.\n\n\u201c[It] is not unique in context of Mail, this can be leveraged to get unauthorized write access to ~/Library/Mail and to $TMPDIR using symlinks inside of those zipped files,\u201d Kentt\u00e4l\u00e4 explained.\n\n## **Zero-Click Attack Path**\n\nTo exploit the bug, a cyberattacker could email two .ZIP files as attachments to the victim, according to the analysis. When a user receives the email, the Mail app will parse it to find any attachments with x-mac-auto-archive=yes header in place. Mail will then automatically unpack those files.\n\n\u201cThe first .ZIP includes a symlink named Mail which points to victims\u2019 $HOME/Library/Mail and file 1.txt,\u201d said Kentt\u00e4l\u00e4. \u201cThe .ZIP gets uncompressed to $TMPDIR/com.apple.mail/bom/. Based on the filename=1.txt.zip header, 1.txt gets copied to the mail director and everything works as expected. However, cleanup is not done right way and the symlink is left in place.\u201d\n\nThis left-behind symlink anchors the second stage of the attack.\n\n\u201cThe second attached .ZIP includes the changes that you want to do to $HOME/Library/Mail. This will provide arbitrary file write permission to Library/Mail,\u201d the researcher explained. \u201cIn my example case I wrote new Mail rules for the Mail application. With that you can add an auto forward rule to the victim\u2019s Mail application.\u201d\n\nThis arbitrary write access means that an attacker can manipulate all of the files in $HOME/Library/Mail, he added.\n\nCVE-2020-9922 is rated 6.5 on the CVSS vulnerability-severity scale, making it medium-severity, but the researcher stressed that successful exploitation could \u201clead to many bad things.\u201d\n\n\u201cAs shown, this will lead to exposure of the sensitive data to a third party through manipulating the Mail application\u2019s configuration,\u201d he said. \u201cOne of the available configuration options is the user\u2019s signature which could be used to make this vulnerability wormable. There is also a chance that this could lead to a remote code-execution (RCE) vulnerability, but I didn\u2019t go that far.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>))\n\n** **\n", "cvss3": {}, "published": "2021-04-05T19:10:53", "type": "threatpost", "title": "Apple Mail Zero-Click Security Vulnerability Allows Email Snooping", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-9922", "CVE-2021-21982"], "modified": "2021-04-05T19:10:53", "id": "THREATPOST:E3FA0D5BB017B7DD39D5924D32A9A668", "href": "https://threatpost.com/apple-mail-zero-click-security-vulnerability/165238/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-06-25T16:18:48", "description": "VMware has fixed an uber-severe bug in its Carbon Black App Control (AppC) management server: A server whose job is to lock down critical systems and servers so they don\u2019t get changed willy-nilly.\n\nAppC also ensures that organizations stay in continuous compliance with regulatory mandates.\n\nThis is a bad one: VMware puts the flaw, [CVE-2021-21998](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21998>), in the critical severity range with a maximum CVSSv3 base score of 9.4 out of 10. The bug is an authentication bypass that could enable an attacker with network access to the server to get administrative privileges without needing to authenticate.\n\nAccording to VMware\u2019s [advisory](<https://www.vmware.com/security/advisories/VMSA-2021-0012.html>), the authentication-bypass bug affects AppC versions 8.0, 8.1, 8.5 before 8.5.8, and 8.6 before 8.6.2.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAs pointed out by [Heimdal Security](<https://heimdalsecurity.com/blog/vmware-fixes-severe-carbon-black-app-control-authentication-bypass-vulnerability/>), depending on the environment, threat actors could exploit the vulnerability \u201cto maximum advantage to attack anything from point-of-sale [systems] (PoS) to industrial-control systems.\u201d\n\nTo avoid that, organizations must patch, as there are no workarounds available.\n\nBelow are the patches, listed in the Fixed Version column of the VMware\u2019s Response Matrix:\n\nProduct | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Version Workarounds | Additional Documentation \n---|---|---|---|---|---|---|---|--- \nAppC | 8.6.x | Windows | CVE-2021-21998 | 9.4 | critical | 8.6.2 | None | None \nAppC | 8.5.x | Windows | CVE-2021-21998 | 9.4 | critical | \n\n8.5.8\n\n| None | None \nAppC | 8.1.x, 8.0.x | Windows | CVE-2021-21998 | 9.4 | critical | Hotfix | None | None \n \nCredit for discovering and reporting CVE-2021-21999 goes to [Zeeshan Shaikh](<https://twitter.com/bugzzzhunter>) from NotSoSecure, who worked with Trend Micro Zero Day Initiative (ZDI) and [Hou JingYi](<https://twitter.com/hjy79425575>) of Qihoo 360.\n\n## Plus This: High-Risk Bug in Other VMware Products\n\nBesides the authentication-bypass fix, VMware also published a security advisory for a high-risk bug in VMware Tools, VMware Remote Console for Windows (VMRC), and VMware App Volumes products.\n\nAt this point, the bug doesn\u2019t have a severity score from the National Institute of Standards and Technology (NIST), but VMware evaluated it at 7.8 (high severity). The flaw, [CVE-2021-21999](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21999>), is a local privilege-escalation vulnerability.\n\nVMware\u2019s [advisory](<https://www.vmware.com/security/advisories/VMSA-2021-0013.html>) lists the affected products as VMware Tools for Windows (11.x.y prior to 11.2.6), VMware Remote Console for Windows (12.x prior to 12.0.1) , and VMware App Volumes (2.x prior to 2.18.10 and 4 prior to 2103).\n\nOnce again, there\u2019s no workaround for this one. Admins should patch it as soon as possible, given what VMware said can be done with it:\n\n> An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as `openssl.cnf\u2019 in an unrestricted directory which would allow code to be executed with elevated privileges.\n\n## History of Critical Holes\n\nThe security hole in AppC is only the latest critical problem that VMware has addressed. In February, for one, VMware [patched three vulnerabilities](<https://threatpost.com/vmware-patches-critical-rce-flaw-in-vcenter-server/164240/>) in its virtual-machine infrastructure for data centers, including a remote code-execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system, to find other vulnerable points of network entry to take over affected systems.\n\nMore recently, in April, another [critical cloud bug](<https://threatpost.com/critical-cloud-bug-vmware-carbon-black/165278/>), again in VMWare Carbon Black, would have allowed takeover. The bug (CVE-2021-21982) ranked 9.1 out of 10 on the CVSS vulnerability-severity scale. It would enable privilege escalation and the ability to take over the administrative rights for the VMware Carbon Black Cloud Workload appliance.\n\n**Join Threatpost for \u201c**[**Tips and Tactics for Better Threat Hunting**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)**\u201d \u2014 a LIVE event on **[**Wed., June 30 at 2:00 PM ET**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** in partnership with Palo Alto Networks. Learn from Palo Alto\u2019s Unit 42 experts the best way to hunt down threats and how to use automation to help. **[**Register HERE**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** for free. **\n", "cvss3": {}, "published": "2021-06-24T15:31:31", "type": "threatpost", "title": "Critical VMware Carbon Black Bug Allows Auth Bypass", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-3580", "CVE-2021-21982", "CVE-2021-21998", "CVE-2021-21999"], "modified": "2021-06-24T15:31:31", "id": "THREATPOST:9AD64DC6BE4117F56E76B2BF8F28A597", "href": "https://threatpost.com/vmware-carbon-black-authentication-bypass/167226/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "thn": [{"lastseen": "2022-05-09T12:38:23", "description": "[](<https://thehackernews.com/images/-LL794hm32nE/YG1jF7U5ZaI/AAAAAAAACMU/Q1a-oTSPl_st9NtxIFPobNiHuZtjk9boQCLcBGAsYHQ/s0/vmware.jpg>)\n\nA critical vulnerability in the VMware Carbon Black Cloud Workload appliance could be exploited to bypass authentication and take control of vulnerable systems.\n\nTracked as CVE-2021-21982, the flaw is rated 9.1 out of a maximum of 10 in the CVSS scoring system and affects all versions of the product prior to 1.0.1. \n\nCarbon Black Cloud Workload is a data center security product from VMware that aims to protect critical servers and workloads hosted on vSphere, the company's cloud-computing virtualization platform.\n\n\"A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,\" VMware [said](<https://www.vmware.com/security/advisories/VMSA-2021-0005.html>) in its advisory, thereby allowing an adversary with network access to the interface to gain access to the administration API of the appliance.\n\nArmed with the access, a malicious actor can then view and alter [administrative configuration settings](<https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/carbonblack_workload/GUID-E2ED3713-315B-4EEE-A3E8-A7A09A011101.html>), the company added.\n\nIn addition to releasing a fix for CVE-2021-21982, VMware has also [addressed](<https://www.vmware.com/security/advisories/VMSA-2021-0004.html>) two separate bugs in its vRealize Operations Manager solution that an attacker with network access to the API could exploit to carry out Server Side Request Forgery ([SSRF](<https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/>)) attacks to steal administrative credentials (CVE-2021-21975) and write files to arbitrary locations on the underlying [photon](<https://github.com/vmware/photon>) operating system (CVE-2021-21983).\n\nThe product is primarily designed to monitor and optimize the performance of the virtual infrastructure and support features such as workload balancing, troubleshooting, and compliance management.\n\nEgor Dimitrenko, a security researcher with Positive Technologies, has been credited with reporting all three flaws.\n\n\"The main risk is that administrator privileges allow attackers to exploit the second vulnerability\u2014CVE-2021-21983 (an arbitrary file write flaw, scored 7.2), which allows executing any commands on the server,\" Dimitrenko [said](<https://www.ptsecurity.com/ww-en/about/news/vmware-fixes-dangerous-vulnerabilities-in-software-for-infrastructure-monitoring-discovered-by-positive-technologies/>). \"The combination of two security flaws makes the situation even more dangerous, as it allows an unauthorized attacker to obtain control over the server and move laterally within the infrastructure.\"\n\nVMware has released patches for vRealize Operations Manager versions 7.0.0, 7.5.0, 8.0.1, 8.1.1, 8.2.0 and 8.3.0. The company has also published workarounds to mitigate the risks associated with the flaws in scenarios where the patch cannot be installed or is not available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-04-07T08:03:00", "type": "thn", "title": "Critical Auth Bypass Bug Found in VMware Data Center Security Product", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21982", "CVE-2021-21983"], "modified": "2021-04-07T09:38:17", "id": "THN:4640BEB83FE3611B6867B05878F52F0D", "href": "https://thehackernews.com/2021/04/critical-auth-bypass-bug-found-in.html", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:55", "description": "[](<https://thehackernews.com/images/-j136_z7UZNc/YNQ7Y__WRWI/AAAAAAAAC-U/oIYaMgYSXVYLJkHR5taYmCdxvH79jX-ewCLcBGAsYHQ/s0/vmware.jpg>)\n\nVMware has rolled out security updates to resolve a critical flaw affecting Carbon Black App Control that could be exploited to bypass authentication and take control of vulnerable systems.\n\nThe vulnerability, identified as CVE-2021-21998, is rated 9.4 out of 10 in severity by the industry-standard Common Vulnerability Scoring System (CVSS) and affects App Control (AppC) versions 8.0.x, 8.1.x, 8.5.x, and 8.6.x.\n\n[Carbon Black App Control](<https://www.carbonblack.com/products/app-control/>) is a security solution designed to lock down critical systems and servers to prevent unauthorized changes in the face of cyber-attacks and ensure compliance with regulatory mandates such as PCI-DSS, HIPAA, GDPR, SOX, FISMA, and NERC.\n\n\"A malicious actor with network access to the VMware Carbon Black App Control management server might be able to obtain administrative access to the product without the need to authenticate,\" the California-based cloud computing and virtualization technology company [said](<https://www.vmware.com/security/advisories/VMSA-2021-0012.html>) in an advisory.\n\nCVE-2021-21998 is the second time VMware is addressing an authentication bypass issue in its Carbon Black endpoint security software. Earlier this April, the company fixed an incorrect URL handling vulnerability in the Carbon Black Cloud Workload appliance ([CVE-2021-21982](<https://thehackernews.com/2021/04/critical-auth-bypass-bug-found-in.html>)) that could be exploited to gain access to the administration API. \n\nThat's not all. VMware also patched a local privilege escalation bug affecting VMware Tools for Windows, VMware Remote Console for Windows (VMRC for Windows), and VMware App Volumes (CVE-2021-21999, CVSS score: 7.8) that could allow a bad actor to execute arbitrary code on affected systems.\n\n\"An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as 'openssl.cnf' in an unrestricted directory which would allow code to be executed with elevated privileges,\" VMware [noted](<https://www.vmware.com/security/advisories/VMSA-2021-0013.html>).\n\nVMware credited Zeeshan Shaikh (@bugzzzhunter) from NotSoSecure and Hou JingYi (@hjy79425575) of Qihoo 360 for reporting the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-24T08:00:00", "type": "thn", "title": "Critical Auth Bypass Bug Affects VMware Carbon Black App Control", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21982", "CVE-2021-21998", "CVE-2021-21999"], "modified": "2021-06-24T08:00:41", "id": "THN:868A288940CAEB61BD09AB7B818AD160", "href": "https://thehackernews.com/2021/06/critical-auth-bypass-bug-affects-vmware.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
VMware Carbon Black Cloud Workload appliance update addresses incorrect URL handling vulnerability (CVE-2021-21982)
