eSentire White Logo

Security advisories | Apr 07, 2021

VMware Authentication Bypass Vulnerability

THE THREAT

VMware has announced a critical vulnerability impacting the VMware Carbon Black Cloud Workload appliance. The vulnerability, tracked as CVE-2021-21982, received a criticality rating of 9.1/10 and is classified as an authentication bypass vulnerability. A threat actor with previous access to the network may exploit the vulnerability to view and alter administrative settings for the appliance. Malicious configuration changes may impact the operations of the VMware Carbon Black Cloud Workload appliance.

Organizations are strongly recommended to apply the available security patches provided by VMware. Workarounds are not available, increasing the importance of applying security patches. eSentire does not employ or administer the VMware Carbon Black Cloud Workload appliance. eSentire services are not impacted by this vulnerability.

What we’re doing about it

  • MVS will automatically add the relevant plugins for these vulnerabilities once details are made available
  • eSentire security teams continue to track this topic and additional detection measures are currently under review

What you should do about it

  • After performing a business impact review, apply the relevant security patches provided by VMWare
  • Implement network controls to limit access to the local administrative interface for the VMware Carbon Black Cloud Workload appliance

Additional information

CVE-2021-21982 impacts VMware Carbon Black Cloud Workload appliance version 1.0.1 and earlier, running on Linux. While exploitation has not been identified in the wild at this time, organizations are recommended to patch as soon as possible. Vulnerabilities impacting security products are likely to receive increased attention of capable threat actors.

To successfully exploit this vulnerability, a threat actor would need network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance. With this access, an attacker may obtain a valid authentication token, allowing them access to the administration API of the appliance.

References:
[1] https://www.vmware.com/security/advisories/VMSA-2021-0005.html
[2] https://nvd.nist.gov/vuln/detail/CVE-2021-21982