On April 1st, 2021, VMWare released an advisory and update to address an authentication bypass vulnerability in Carbon Black Cloud rated 9.1 out of 10 on the CVSSv3 scale for severity. This issue will allow an adversary with access to the administrative interface of VMWare Carbon Black Workload appliance bypass authentication. According to VMWare, “A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication.” What is particularly troubling is this vulnerability is announced along with CVE-2021-21975 and a report by Positive Technologies making the case for exploitation via VM Ware vROps API, obtaining “access to the application with maximum privileges, which allows changing the application configuration and intercepting any data within the app.”
VMWare is on top of these issues releasing prompt advisories and fixes in light of the discoveries. This is a convenient attack vector for adversaries after initial access via cloud platforms. Prompt patch management will cut off access but to negate the possibility of active compromise, it is imperative to have a security team with access to this infrastructure actively looking for threats. While this is not a possibility for all, it may be one of the deciding factors regarding integrity of networks and data within. Binary Defense offers teams of researchers offering Intelligence and Threat Hunting operations to help identify active, dormant, or past compromise. Combined with a sound Security Operations Center, these teams can help facilitate the IT team’s efforts keeping networks online and secure.