A vulnerability in VMware Tools allows escalation of privileges in a VM. A bug in Carbon Black crashed Windows systems.
The VMware Tools contain a vulnerability that users could use to gain root privileges in VMware VMs. The “Carbon Black” security software, on the other hand, caused masses of Windows servers to crash on August 23 due to an error in its antivirus rule set and gave them a BSOD when they rebooted. Both problems have now been resolved.
VMware reports a vulnerability in VMware Tools in a Security Advisory. Attackers who already have an unprivileged user on the virtual machine (e.g. through theft of credentials or another security hole) were able to sneak in system privileges.
The security bug with CVE-ID CVE-2022-31676 was rated by VMware with a CVSS value of 7.0/10 – i.e. “important”. According to the advisory published by VMware, it affects both Windows (VMware Tools 11 and 12) and Linux (VMware Tools 10, 11 and 12). Administrators should update to version 10.3.25 or 12.1.0 to fix the problem – if you are using version 11, you should switch to version 12.
The VMware Tools facilitate the management of VMs and are often pre-installed on virtual machines. The vulnerability should therefore affect the majority of VMs created with the popular hypervisor.
Carbon Black EDR
Some users of the Carbon Black EDR software experienced a nasty surprise on August 23 when their Windows servers suddenly crashed and displayed a blue screen of death with the stop code “PFN_LIST_CORRUPT” when they rebooted. Carbon Black is an “Endpoint Detection & Response” software for detecting malware and attacks, whose eponymous manufacturer was acquired by VMware in 2019.
As VMware now admits in a knowledge base article, the crash and BSOD were caused by a faulty antivirus ruleset. Versions 3.6 and 3.7 of the sensor software were affected by the crashes.
The issue was addressed through an update to the AV rules; According to VMware, affected systems should boot again without further ado. For more tricky cases, the knowledge base has workarounds to revive and a way to check your own rule sets.