VMWare Carbon Black Critical Vulnerability – 24th March 2022

VMWare has released a security bulletin that addresses critical vulnerabilities on the VMWare Carbon Black app. There are two vulnerabilities that affect the VMWare Carbon Black app control. The two vulnerabilities that affect Carbon Black App control are CVE-2022-22951, CVE-2022-22952. Both carry a CVSS score of 9.1. There is a critical impact on the infrastructure on account of these security risks. VMware Carbon Black App Control Server 8.5.x to 8.8.x are affected by these critical security vulnerabilities. However, this is a server-side vulnerability only. No agents are impacted. Patching needs to happen at the server level only.

VMWare has released a software patch to mitigate the vulnerabilities. We talk about the two vulnerabilities in brief. We also talk about the course of action that needs to be adopted for resolving these security issues.

Important points about the VMWare Carbon Black App Control Server vulnerabilities:

  • CVE-2022-29251 and CVE-2022-29252 affect VMWare’s App Control Server software.
  • Patching the App Control server should resolve both vulnerabilities.
  • Mitigation needs to happen on the App Control Server. No client installation is needed.
  • No server reboot is necessary after installing the latest App Control Server update.

What critical vulnerabilities affect the VMWare Carbon Black App Control Server?

There are two critical vulnerabilities that affect the VMWare Carbon Black App control engine.

  • CVE-2022-22951 – This is a critical vulnerability with CVSS score of 9.1. This is a remote code execution vulnerability on account of improper input validation on the VMWare Carbon Black App control. An authenticated user with network access to the Carbon Black app control can execute commands on the VMWare server. Due to the command injection vulnerability, there could be a fair bit of risk on the VMware servers. The resolution lies in applying the latest security update on the VMWare Carbon Black server.
  • CVE-2022-22952 – This is another critical vulnerability with CVSS score of 9.1. The impacted software is the VMWare Carbon Black server versions 8.5.x to 8.8.x. This is a file upload vulnerability. A malicious authenticated user could deploy a file on the Carbon Black App Control Server and use it to target the Windows instance running the control server. Like the CVE-2022-22951, the CVE-2022-22952 vulnerability has to be exploited by an authenticated user with network access to the control server. The resolution for CVE-2022-22952 lies in patching with the latest control server security updates for version 8.5.x to 8.8.x.

Both vulnerabilities do not have any sort of workaround available at this point of time. The resolution involves updating the App Control server to the latest patches.

VMWare Carbon Black App Control Vulnerability Resolution

CVE-2022-22951 and CVE-2022-22952 are resolved by updating the affected version of App Control Server software to the latest version given below.

  • AppC version 8.8.x needs to be updated to 8.8.2. The build number, post-update, will be 8.8.2.192. Login to the Carbon Black User Exchange and download the 8.8.2 patch from the following page.
  • AppC version 8.7.x needs to be updated to 8.7.4. The build number, post-update, will be 8.7.4.4. The AppC 8.7.4 can be dowloaded from this page.
  • AppC version 8.6.x needs to be updated to 8.6.6. The build number, post-update, will be 8.6.6.4. You can download the zip archive from this page. You need to perform these steps through Carbon Black User Exchange.
  • AppC version 8.5.x needs to be updated to 8.5.14. The build number, post-update, will be 8.5.14.4. You can download the zip archive for App Control version 8.5.15.4 from this page.

The resolution involves downloading the zip file and installing it on the server. The ParityServerSetup.exe file is used for patching the Carbon Black App Control Server software. The server does not require a reboot after installing the zip file. App Control Server versions 8.5.x or higher need to be patched through the server-side installers. No client fix is required for these vulnerabilities.

On the App Control server version 8.5 or higher, the console will show the latest version of App Control software running on the VMWare server. For the older installations, you can validate the software version on the App Control server manually. To do so, you can verify the hotfix logs in one of the two folder locations mentioned below:

  • C:\Program Files (x86)\Bit9\Parity Server\Support directory or
  • C:\users\”SERVICE USER”\appdata\local\temp

Summary

VMWare’s security updates for the App Control Server are designed to mitigate CVE-2022-22951 and CVE-2022-22952. The updates are to be installed on the App Control Server, and no client installations are needed. Once the latest patches are installed on the App Control Server, the security vulnerability gets patched right away. Given the critical severity of these vulnerabilities, we do suggest patching the App control server on a priority basis.

You may also like to read the following content related to Windows Updates or Security vulnerabilities: