VMware addressed a critical bug in Carbon Black App Control

1 year ago AndyC

VMware
released
security
updates
to
address
a
critical
vulnerability,
tracked
as
CVE-2023-20858,
in
the
Carbon
Black
App
Control
product.

VMware
addressed
a
critical
injection
vulnerability,
tracked
as
(CVSSv3
score
9.1),

Carbon
Black
App
Control.

VMware
released
security
updates
to
address
a
critical
vulnerability,
tracked
as
CVE-2023-20858,
in
the
Carbon
Black
App
Control
product.

VMware
addressed
a
critical
injection
vulnerability,
tracked
as
(CVSSv3
score
9.1),

Carbon
Black
App
Control.

VMware
Carbon
Black
App
Control allows
organizations
to
ensure
that
only
trusted
and
approved
software
is
allowed
to
execute
on
their
critical
systems
and
endpoints.

An
attacker
with
privileged access
to
the
App
Control
administration
console can
trigger
the
issue
by
providing
specially
crafted
input
and
gaining
access
to
the
underlying
server operating
system.

“VMware
Carbon
Black
App
Control
contains an
injection
vulnerability.”
reads
the

advisory
published
by
the
virtualization
giant.
“A
malicious
actor
with
privileged access
to
the
App
Control
administration
console may
be
able
to use
specially
crafted
input
allowing
access
to
the
underlying
server operating
system.”

The
vulnerability
impacts
App
Control
versions
8.7.x,
8.8.x
and
8.9.x
for
Microsoft’s
Windows.
The
company
addressed
it
with
the
release
of
versions
8.9.4,
8.8.6,
8.7.8.

The
security
researcher
Jari
Jääskelä
privately
reported
the
vulnerability
through
the
company
bug
bounty
program
on
the
HackerOne
platform.

VMware
states
that
there
are
no
workarounds
for
this
vulnerability.

Follow
me
on
Twitter:

@securityaffairs
and

Facebook
and

Mastodon

Pierluigi Paganini

(SecurityAffairs –

hacking,
Carbon
Black
App
Control)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts