Positive Technologies discovers critical vulnerability in the VMware endpoint protection platform

The vulnerability allows attackers to bypass authentication mechanisms and access Carbon Black Cloud Workload with maximum privileges

VMware commended Positive Technologies expert Egor Dimitrenko for discovering this vulnerability in one of the components of the VMware Carbon Black cloud platform designed to protect virtual machines in corporate infrastructure. VMware fixed the vulnerability and released a corresponding advisory.

Vulnerability CVE-2021-21982 (CVSSv3 score 9.1) was found in Carbon Black Cloud Workload version 1.0.1 (and earlier versions), a local solution that connects VMware vCenter Server (application for centralized management of the VMware vSphere environments) and VMware Carbon Black Cloud.

Egor Dimitrenko at Positive Technologies explains: "The attack does not require authorization: any user who has access to the interface can obtain a token to work with the system, bypassing legitimate authentication. The vulnerable application's interface is available on the internal network, but in some cases it is open for attacks from the Internet as well. With an authentication token, an attacker can work with Carbon Black Cloud Workload with maximum privileges. As this application is a link between vCenter Server inside the company's network and the cloud solution for monitoring the security of virtual machines, an attacker with maximum privileges can break this connection and disrupt the protection mechanisms.

According to research conducted by Positive Technologies, vulnerability CVE-2021-21982 is caused by improper blacklist check of access to some components of the application, which is not as secure as the whitelist check.

To eliminate vulnerabilities, you should follow the recommendations specified in the official VMware notice. If it is impossible to install an update, you can detect signs of penetration using a SIEM solution (such as MaxPatrol SIEM) that helps identify suspicious behavior on the server, register an incident, and prevent intruders from moving laterally within the corporate network in a timely manner.

In February, Positive Technologies detected two vulnerabilities in vCenter Server, one of which was also critical. In April, Positive Technologies had discovered other vulnerabilities in VMWare tools such as VMware View Planner and VMware vRealize Operations (vROps) which have since been patched.