A critical vulnerability in the VMware Carbon Black Cloud Workload equipment could be exploited to bypass authentication and consider management of susceptible units.
Tracked as CVE-2021-21982, the flaw is rated 9.1 out of a most of 10 in the CVSS scoring method and has an effect on all versions of the products prior to 1..1.
Carbon Black Cloud Workload is a information center security item from VMware that aims to shield critical servers and workloads hosted on vSphere, the company’s cloud-computing virtualization system.
“A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,” VMware claimed in its advisory, therefore permitting an adversary with network obtain to the interface to get entry to the administration API of the appliance.
Armed with the entry, a malicious actor can then view and change administrative configuration settings, the business included.
In addition to releasing a take care of for CVE-2021-21982, VMware has also resolved two different bugs in its vRealize Functions Manager option that an attacker could exploit with network obtain to the API to have out Server Facet Request Forgery (SSRF) attacks to steal administrative qualifications (CVE-2021-21975) and compose information to arbitrary destinations on the underlying photon working technique (CVE-2021-21983).
The product is largely created to keep track of and improve the performance of the virtual infrastructure and support attributes this kind of as workload balancing, troubleshooting, and compliance administration.
Egor Dimitrenko, a security researcher with Beneficial Systems, has been credited with reporting all a few flaws.
“The major risk is that administrator privileges enable attackers to exploit the 2nd vulnerability—CVE-2021-21983 (an arbitrary file compose flaw, scored 7.2), which enables executing any commands on the server,” Dimitrenko said. “The mix of two security flaws would make the circumstance even much more hazardous, as it will allow an unauthorized attacker to get hold of manage above the server and go laterally in the infrastructure.”
VMware has unveiled patches for vRealize Functions Manager variations 7.., 7.5., 8..1, 8.1.1, 8.2. and 8.3.. The business has also revealed workarounds to mitigate the risks linked with the flaws in situations in which the patch can’t be set up or is not readily available.
Observed this write-up interesting? Adhere to THN on Fb, Twitter and LinkedIn to study far more distinctive information we write-up.
Some areas of this report are sourced from: