Vulnerability Management

VMware releases patches for Carbon Black App Control

VMware sign
VMware released patches for a critical vulnerability affecting its Carbon Black App Control product. ("VMware headquarters" by Ferran Rodenas is licensed under CC BY-NC-SA 2.0.)

VMware on Tuesday released a series of patches for a critical injection vulnerability with a CVSS score of 9.1 affecting its Carbon Black App Control product.

According to the CVE released by MITRE, when CVE-2023-20858 gets exploited, a malicious actor with privileged access to the App Control administration console could potentially use specially crafted input that would let the attacker access the underlying server operating system.

Because there’s no workaround available, VMware said in its advisory that to remediate this CVE, users should run the updates.

The vulnerability affects VMware Carbon Black App Control 8.7.x prior to 8.7.8, 8.8.x prior to 8.8.6, and 8.9.x.prior to 8.9.4. Security researcher Jari Jääskelä has been credited with discovering and reporting the bug.

It's a serious vulnerability because it gives adversaries complete access to an organization’s Windows servers — but the risk is somewhat mitigated because attackers must first obtain privileged access to the App Control console, explained Phil Neray, vice president of cyber defense strategy at CardinalOps,

“That would require an initial campaign, such as a phishing attack targeting administrators in an organization,” said Neray

VMWare products are a favorite target for threat actors, so as always with a vulnerability like this, it’s best to apply the patches as soon as it’s practical, added Mike Parkin, senior technical engineer with Vulcan Cyber. Parkin also pointed out that exploiting this CVE apparently does require existing privileged access to exploit — so he agrees that the risk is slightly reduced.  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.