VMware Carbon Black has critical vulnerability

VMware has disclosed a critical vulnerability in its Carbon Black endpoint security platform.

Carbon Black provides application control, anti-virus and policy enforcement for enterprise endpoints under a single admin console.

Carbon Black’s application control versions 8.7x, 8.8x and 8.9x running on Windows are subject to CVE-2023-20858, which carries a critical CVSS score of 9.1.

VMware describes it as an injection vulnerability. An attacker would need compromised user credentials to exploit the bug, since they need privileged access to the app control administration console via the network.

With access, an attacker can then feed the console crafted input, and get access to the underlying server operating system.

The bug was discovered by HackerOne researcher Jari Jääskelä.

The company also announced CVE-2023-20855, a CVSS 8.8-scored vulnerability in its vRealize Orchestrator, vRealize Automation, and VMware Cloud Foundation products.

“A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges”, VMware’s advisory stated.

The bug was reported by Germany’s State Office for Information Technology and Statistics (IT.NRW).