VMware commended Positive Technologies expert Egor Dimitrenko for discovering a vulnerability in one of the components of the VMware Carbon Black cloud platform, designed to protect virtual machines in corporate infrastructure. VMware has fixed the vulnerability and released a corresponding advisory.
Vulnerability CVE-2021-21982 (CVSSv3 score 9.1) was found in Carbon Black Cloud Workload version 1.0.1 (and earlier versions), a local solution that connects VMware vCenter Server (application for centralized management of the VMware vSphere environments) and VMware Carbon Black Cloud.
Egor Dimitrenko of Positive Technologies explains: “The attack does not require authorization: any user who has access to the interface can obtain a token to work with the system, bypassing legitimate authentication. The vulnerable application's interface is available on the internal network, but in some cases it’s open for attacks from the Internet as well. With an authentication token, an attacker can work with Carbon Black Cloud Workload with maximum privileges. As this application is a link between vCenter Server inside the company's network and the cloud solution for monitoring the security of virtual machines, an attacker with maximum privileges can break this connection and disrupt the protection mechanisms.”
According to research conducted by Positive Technologies, vulnerability CVE-2021-21982 is caused by improper blacklist check of access to some components of the application, which is not as secure as the whitelist check.
To eliminate vulnerabilities, follow the recommendations specified in the official VMware notice. If it is impossible to install an update, you can detect signs of penetration using a SIEM solution (such as MaxPatrol SIEM) that helps identify suspicious behavior on the server, register an incident, and prevent intruders from moving laterally within the corporate network in a timely manner.
In February, Positive Technologies detected two vulnerabilities in vCenter Server, one of which was also critical. In April, Positive Technologies discovered other vulnerabilities in VMWare tools such as VMware View Planner and VMware vRealize Operations (vROps) which have since been patched.