Issue
It is possible to bypass Cb Protection’s tamper protection, enabling a malicious actor to:
- Run a malicious file
- Prevent the startup of the Cb Protection agent or the server
Details
One of the responsibilities of Tamper Protection is to prevent registry modifications involving the agent’s and server’s binaries. In Microsoft Windows 64-bit operating systems, Tamper Protection is protecting the wrong registry keys. A malicious actor can exploit this flaw to define a bogus debugger entry and run a malicious file or prevent the startup of the agent or server.
More details can be found at https://community.carbonblack.com/message/11790
Workaround
To address this vulnerability now, while we work to address this within the product, you can create a Registry rule. The Registry rule will need to block modifications to the following keys:
HKLM\software\microsoft\windows nt\currentversion\image file execution options\*parity.exe*
HKLM\software\microsoft\windows nt\currentversion\image file execution options\*notifier.exe*
HKLM\software\microsoft\windows nt\currentversion\image file execution options\*timedoverride.exe*
HKLM\software\microsoft\windows nt\currentversion\image file execution options\*dascli.exe*
HKLM\software\microsoft\windows nt\currentversion\image file execution options\*crawler.exe*
HKLM\software\microsoft\windows nt\currentversion\image file execution options\*parityserver.exe*
HKLM\software\microsoft\windows nt\currentversion\image file execution options\*parityreport.exe*
HKLM\software\microsoft\windows nt\currentversion\image file execution options\*cb.exe*
If you need assistance in creating this rule, please contact technical support.
Solution
We have identified the changes necessary for the product and are planning to deliver the fix in Cb Protection 7.2.3 Patch 3 which is scheduled for release in the middle of October.