VMware has patched two security flaws, an OS command injection vulnerability and a file upload hole, in its Carbon Black App Control security product running on Windows.
Both bugs are rated 9.1 out of 10 in terms of CVSS severity. They can be exploited to execute arbitrary commands on the Windows host, such as commands to deploy malware, exfiltrate data, or explore the rest of the network.
In both cases, an attacker needs to be logged in as an administrator or highly privileged user, which means exploitation is limited to rogue insiders and hijacked admin accounts. On the other hand, exploitation means a bad situation is about to get a lot worse. Given the rise of insider threats, and compromised administrator access, patching this to limit scope of even trusted accounts isn't such a bad idea.
VMware's advisory on the matter does not say whether or not these holes are under active attack. When we asked the virtualization giant for clarity, a spokesperson didn't give us an answer, instead telling us:
The security of our customers is a top priority at VMware, and we encourage customers to apply the patches provided in our security advisory, VMSA-2022-0008. Customers should also join VMware's Security-Announce mailing list to receive the latest VMware security advisories.
Both vulnerabilities affect VMware's Carbon Black App Control product. This is an agent-based datacenter security tool that allows system administrators to lock down servers and prevent any unwanted changes to or tampering with critical systems.
One of the security flaws, CVE-2022-22951, is an OS command injection vulnerability. According to VMware, it could allow authenticated attackers with high privileges and network access to the VMware App Control administration interface to remotely execute commands on the server.
The second, CVE-2022-22952, could allow attackers with administrative access to upload a specially crafted file to then execute malicious code on the Windows instance running the App Control server.
Security consultant Jari Jääskelä found both bugs and reported them to VMware.
The Carbon Black App Control flaws follow earlier security alerts including two critical guest-to-host vulnerabilities in the XHCI and UHCI USB controllers in VMware's ESXi hypervisor. The XHCI and UHCI USB controller bugs, which VMware patched in February, could allow attackers with administrative privileges in a virtual machine to execute malicious code as the VM's VMX process on the host.
And, of course, not even VMware could escape the Log4j vulnerability, which affected virtually every enterprise product on the planet late last year. Some software shops are still struggling to patch it.
In all, more than 100 VMware products were impacted by the Log4j blunder, which kept VMware busy issuing a slew of patches between December 2021 and February 2022.
Shortly after the vendor disclosed its first Log4J vulns, VMware identified another critical flaw: a server-side forgery request in VMware's Workspace ONE Unified Endpoint Management (UEM) product.
This one could allow someone with network access to UEM to send requests without authentication and then "exploit this issue to gain access to sensitive information," according to VMware's security advisory. ®
The UK Ministry of Defence has suspended online application and support services for the British Army's Capita-run Defence Recruitment System and confirmed to us that digital intruders compromised some data held on would-be soldiers.
The army was informed of the break-in on March 14, and "that a group of hackers was going to release Army Application Data on the dark web," a source familiar with the matter told us.
Two days later, the Army shut down the career website and DRS as a precautionary measure.
Investment sentiment in S/4HANA, SAP's in-memory ERP platform, is falling for the first time among the software giant's German-speaking users.
According to a survey from DSAG, which counts users in Germany, Austria, and Switzerland among its members, the proportion of organizations to which S/4HANA was relevant to their SAP investments fell to 50 per cent in early 2022, down from 56 per cent the previous year.
A willingness among users to spend on the Business Suite platform – the earlier generation of technology based on the ERP Central Component or ECC – also fell slightly, from 25 per cent to 24 per cent over the same period.
Edinburgh's Heriot-Watt University has entered a second week of woe following a vist by an infosec nasty.
The 200-year-old institution's IT team first referred to the crisis as a "security incident" but a spokesperson confirmed to The Register that it was a cyber attack.
A week on, things remain resolutely broken. VPN? Down. Oracle R12 Finance System? Down. Staff shared areas? Down. Even staff and student directories remain unavailable, hinting at some severe trouble within the university's on-premises infrastructure.
Thailand's Securities and Exchange Commission (SEC) announced on Wednesday a ban on using cryptocurrencies and other digital assets as a means of making payments.
Trade in the digital currencies will continue to be permitted, but as assets only.
The ban goes into effect on April 1, but digital assets payment operators will be given a grace period through the end of the month.
Two important figures in computing industry have died.
Stephen E. Wilhite will be remembered as the creator of the Graphics Interchange Format – the ubiquitous GIF – and always insisted it be pronounced as "jif" with a soft "g".
Those who pointed out that his preferred pronunciation was inconsistent or illogical were met with a stern: "They are wrong".
GTC Check Point Software has put Nvidia GPUs and artificial intelligence techniques to work across its broad portfolio of security tools in order to address and adapt better to an increasingly sophisticated and rapidly changing threat environment.
"In the last one year and a half, the threat landscape has evolved very, very fast," Dorit Dor, chief product officer at Check Point, said during a session at Nvidia's GTC conference this week. "It's exceptionally dangerous these days. We see extreme attacks. APTs [advanced persistent threats] from nation-states. We see it coming through supply chain and leveraging ransomware. We see amazing software vulnerabilities across the board and we see attacks on [digital] wallets and cryptocurrency."
The escalation in threats started with the supply-chain attack on software maker SolarWinds in late 2020, Dor said. That attack saw the Russia-linked group Nobelium insert malicious code into the vendor's Orion monitoring platform, which users then unwittingly ran once they installed updates of the product. Dor pointed to another supply-chain hack – on developer tools maker Codecov early last year – and the flaw in the widely used Log4j open-source logging tool last year that has been exploited dozens of times.
Workflow specialist ServiceNow has announced a heavy emphasis on robotic process automation (RPA) in the next release of its platform, to get aging applications working with each other in a more user-friendly fashion.
One analyst said users already invested in workflow would welcome the release, but RPA specialists may have a technical edge.
ServiceNow has promised the "San Diego" release of its Now Platform will include more modern visual design as well as the RPA capabilities. The latter sits within the Automation Engine, which combines Integration Hub with a new RPA Hub that provides centralized command and a control center to monitor, manage, and deploy digital robots that automate repetitive manual tasks.
Toshiba's shareholders have rejected both the company's plan to split into two companies and a proposal to look for a private buyer.
The company today staged an extraordinary general meeting (EGM) to consider both proposals. The plan to split the company into two listed entities was developed by management after a previous plan to split into three was not well-received by investors.
Both plans were a response to years of management and governance failures – plus serious financial and corruption scandals – that drew investor agitation for a turnaround plan.
Tencent has decided to stop spending whatever it takes to increase its cloud revenue.
"For IaaS and PaaS, we are repositioning our focus on revenue growth at all costs to customer value creation and quality of growth, which should benefit our customers and margins over the longer term," president Martin Lau told investors on the company's Q4 and FY2021 earnings call yesterday.
Chief strategy officer James Mitchell said Tencent, and other cloud companies, have tried to grow and scale to as many customers as possible.
Mainland China's cloud infrastructure services market – covering both infrastructure as-a-service and platform as-a-service – is expected to grow to $84.7 billion by 2026, according to market analyst firm Canalys.
That amount reflects a five-year CAGR of 25 per cent from the $27.4 billion market the analyst firm counted in 2021, a year in which the market grew by 45 per cent from 2020's $18.9 billion.
The growth from 2020 to 2021 was mainly pandemic-induced – the rush to handle work from home, learn from home, ecommerce and online entertainment.
F-Secure's enterprise-facing business will have a new brand – WithSecure – and a sharpened focus when the company splits into two independent operations.
The move comes a month after the security vendor's board of directors revealed that the 34-year-old Helsinki-based company would carve out the consumer security business from its enterprise unit. The consumer business will retain the F-Secure name.
The final break will come this summer after a general meeting in May. The split is scheduled to complete on June 30.
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2022