VMware Patches Critical CVE-2023-20858 Vulnerability in Carbon Black App Control

CVE-2023-20858

Virtualization technology giant VMware on Tuesday shipped its security bulletin with patches for a critical-level flaw that exposes businesses to remote code execution attacks.

VMware said the security defects affect users of its VMware Carbon Black App Control and could be exploited by an attacker to take full control of a target system.

VMware Carbon Black App Control is an application that allows a listing solution that is designed to enable security operations teams to lock down new and legacy systems against unwanted change, simplify the compliance process, and provide protection for corporate systems.

The company said the serious flaw, documented as CVE-2023-20858, carries a CVSS severity score of 9.1 out of 10, adding to the urgency for organizations to apply available patches.

CVE-2023-20858

VMware Carbon Black App Control could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an injection vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system,” VMware warned.

In addition to the CVE-2023-20858 flaw, VMware also patched an XML external entity injection (XXE) attack in VMware vRealize Orchestrator that allowed a remote authenticated attacker to read arbitrary files, cause a denial of service, conduct an SSRF attack, or achieve other system impacts.

The VM XML external entity injection flaw, documented as CVE-2023-20855, was reported by the security researcher from IT.NRW.

A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges,” VMware added.