VMware on Tuesday released a series of patches for a critical injection vulnerability with a CVSS score of 9.1 affecting its Carbon Black App Control product.
According to the CVE released by MITRE, when CVE-2023-20858 gets exploited, a malicious actor with privileged access to the App Control administration console could potentially use specially crafted input that would let the attacker access the underlying server operating system.
Because there’s no workaround available, VMware said in its advisory that to remediate this CVE, users should run the updates.
The vulnerability affects VMware Carbon Black App Control 8.7.x prior to 8.7.8, 8.8.x prior to 8.8.6, and 8.9.x.prior to 8.9.4. Security researcher Jari Jääskelä has been credited with discovering and reporting the bug.
It's a serious vulnerability because it gives adversaries complete access to an organization’s Windows servers — but the risk is somewhat mitigated because attackers must first obtain privileged access to the App Control console, explained Phil Neray, vice president of cyber defense strategy at CardinalOps,
“That would require an initial campaign, such as a phishing attack targeting administrators in an organization,” said Neray
VMWare products are a favorite target for threat actors, so as always with a vulnerability like this, it’s best to apply the patches as soon as it’s practical, added Mike Parkin, senior technical engineer with Vulcan Cyber. Parkin also pointed out that exploiting this CVE apparently does require existing privileged access to exploit — so he agrees that the risk is slightly reduced.
