VMware Issues Patches for Critical Flaws Affecting Carbon Black App Control

VMware addressed two critical arbitrary code execution vulnerabilities affecting its Carbon Black App Control platform.

VMware released this week, software updates to address two critical security vulnerabilities, CVE-2022-22951 and CVE-2022-22952 (both received a CVSS score of 10), affecting its Carbon Black App Control platform that could be exploited by a threat actor to execute arbitrary code on affected installations on Windows systems.

The Carbon Black App Control is an application that allows listing solution that is designed to enable security operations teams to lock down new and legacy systems against unwanted change, simplify the compliance process, and provide protection for corporate systems.

The vulnerabilities were reported by security researchers Jari Jääskelä.

“Multiple vulnerabilities in VMware Carbon Black App Control were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.” reads the advisory published by VMware.

The issues could be only exploited by authenticated attackers with high privileges.

The first bug, tracked as CVE-2022-22951, is an OS command injection vulnerability in Carbon Black App Control. The issue is due to improper input validation leading to remote code execution.

“An authenticated, high privileged malicious actor with network access to the VMware App Control administration interface may be able to execute commands on the server due to improper input validation leading to remote code execution.” reads the advisory.

The second flaw, tracked as CVE-2022-22952, is a file upload vulnerability in VMware Carbon Black App Control. An attacker can trigger the flaw by uploading a specially crafted file.

“A malicious actor with administrative access to the VMware App Control administration interface may be able to execute code on the Windows instance where AppC Server is installed by uploading a specially crafted file.” continues the advisory.

Impacted versions are 8.5.x, 8.6.x, 8.7.x, and 8.8.x, the virtualization giant addressed the flaws with the release of versions 8.5.14, 8.6.6, 8.7.4, and 8.8.2. Customers are recommended to install security updates immediately.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Carbon Black App Control)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.