VMware fixes authentication bypass in data center security software

VMware has addressed a critical vulnerability in the VMware Carbon Black Cloud Workload appliance that could allow attackers to bypass authentication after exploiting vulnerable servers.

VMware Carbon Black Cloud Workload is a Linux data center security software designed to protect workloads running in virtualized environments.

It also bundles endpoint protection capabilities, including endpoint detection and response (EDR), next-gen antivirus, and real-time threat hunting.

This security vulnerability impacts VMware Carbon Black Cloud Workload appliance version 1.0.1 and earlier.

Admin interface exploitable for auth bypass

Attackers can exploit the security vulnerability tracked as CVE-2021-21982 by manipulating an administrative interface URL to obtain valid authentication tokens.

Using this auth token, the malicious actor can then access the administration API of unpatched VMware Carbon Black Cloud Workload appliances.

Successfully exploiting the security flaw enables the attacker to view and modify administrative configuration settings.

CVE-2021-21982 can be exploited by attackers remotely without requiring authentications or user interaction in low complexity attacks.

VMware evaluated the security bug as critical severity, assigning it a CVSSv3 base score of 9.1/10.

The vulnerability was discovered and privately reported to VMware by Positive Technologies web security researcher Egor Dimitrenko.

Mitigation also available

VMware has also issued mitigation information for admins who can't immediately patch their VMware Carbon Black Cloud Workload appliances.

Removing remote access to the appliance's local admin interface is enough to remove the attack vector as the company advises.

"VMware best practices recommend implementing network controls to limit access to the local administrative interface of the appliance," the company said.

"Unrestricted network access to this interface is not required for the regular operation of the product."

On Tuesday, VMware patched two other vulnerabilities found by Dimitrenko in the vRealize Operations IT operations management platform.

When chained together, the two bugs lead to pre-auth remote code execution (RCE) on vulnerable vRealize Operations servers.

Related Articles:

VMware urges admins to remove deprecated, vulnerable auth plug-in

Hackers exploit Windows SmartScreen flaw to drop DarkGate malware

VMware fixes critical sandbox escape flaws in ESXi, Workstation, and Fusion

Critical flaw in Shim bootloader impacts major Linux distros

New 'Looney Tunables' Linux bug gives root on major distros