VMware has patched critical security flaws in its Carbon Black App Control security product running on Windows that can be exploited to execute arbitrary commands on the Windows host, such as commands to deploy malware, exfiltrate data, or explore the rest of the network.
An attacker needs to be logged in as an administrator or highly privileged user, which means exploitation is limited to rogue insiders and hijacked admin accounts.
Both vulnerabilities affect VMware’s Carbon Black App Control product. This is an agent-based datacenter security tool that allows system administrators to lock down servers and prevent any unwanted changes to or tampering with critical systems.
First flaw, CVE-2022-22951, is an OS command injection vulnerability. It could allow authenticated attackers with high privileges and network access to the VMware App Control administration interface to remotely execute commands on the server.
The second, CVE-2022-22952, could allow attackers with administrative access to upload a specially crafted file to then execute malicious code on the Windows instance running the App Control server
The Carbon Black App Control flaws follow earlier security alerts including two critical guest-to-host vulnerabilities in the XHCI and UHCI USB controllers in VMware’s ESXi hypervisor. The XHCI and UHCI USB controller bugs, which VMware patched in February, could allow attackers with administrative privileges in a virtual machine to execute malicious code as the VM’s VMX process on the host.