Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

[Cb Response] Important Notice Related to Latest MacOS 10.11 and 10.12 Betas

[Cb Response] Important Notice Related to Latest MacOS 10.11 and 10.12 Betas

Hi All,

We are aware that Apple has begun releasing betas for MacOS 10.11 (El Capitan) and 10.12 (Sierra) that is believed to be related to the Meltdown/Spectre changes. We have learned from our customers, and have confirmed via internal testing, that previous macOS sensors (including the recent 5.2.13 and 6.1.3 macOS CD releases) are not compatible with these 10.11 and 10.12 macOS betas and as such you will experience a kernel panic on boot.

In order to make affected machines usable again, you will need to boot into Safe Mode on each affected machine, remove the Cb Response kexts manually, and then restart.

We plan to provide support for the 10.11 and 10.12 changes in our upcoming 5.2.13 and 6.1.3 releases before proceeding to make these sensor versions generally available.

Please do not upgrade to the latest MacOS 10.11 and 10.12 betas on any system with Cb Response installed until we provide a sensor version that officially supports these latest changes.  Please follow this post for updates and additional details.

Impacted MacOS:

  • 10.12.6 macOS (Build 16G1205) - Security Update 2018-001 Sierra Beta
  • 10.11.6 macOS (Build 15G19009) - Security Update 2018-001 El Capitan Beta

Thanks,

The Cb Response Team

Labels (1)
Comments

Against 10.12.6, we have reports of the following two beta builds also producing the same behavior:

10.12.6 macOS (Build 16G1206)  (Build 16G1210)

Will this push back the release date of 6.1.3? Right now, High Sierra with Meltdown and Spectre patches is working with CB Response 6.1.3 CD, so that would be a viable resolution for our environment. We are only waiting on 6.1.3 to go to GA before upgrading our Macs to High Sierra. The sooner 6.1.3 goes to GA (with or without fix for Sierra and older), the sooner we'll be able to get out High Sierra and get around the issue with the Apple Patch for Sierra.

In order to make affected machines usable again, you will need to boot into Safe Mode on each affected machine, remove the Cb Response kexts manually, and then restart.

Could someone provide instructions on how to remove the CB Response Kexts please. We are trying to prevent upgrade but will assume someone in our deployment base will upgrade and then need to be rescued.

This command will get the job done of removing the kexts in case you get into this situation:

rm -rf /Library/Extensions/CbOsxSensor*

This will typically need to be done in single-user-mode because once the situation happens, it will kernel panic on normal boot (but will boot fine into single-user-mode to recover and execute the above step to allow a normal start).

FYI, the beta for OSX 10.12.6 just went live and is causing kernel panics even on agent version 6.1.3.

This is expected, right? The current 6.1.3 CD version is known to not support the updates.

Yeah, figure'd I would post it here.  Apple didn't send out the email notices of the 10.12.6 patch until literally 45 seconds ago.

Does this affect the timeline for for 5.2.13/6.1.3 general availability outlined in Cb Response: Information on macOS 10.13.2 Support ? There it mentions a plan to release these builds by 1/29/2018 (next Monday). Would be good to know if new target dates have been set.

Hi All,

Thank you for your continued patience as we work to provide you with a mac sensor to support the 10.13.2 macOS. Internal testing confirmed that the recent 10.11 and 10.12 security updates cause Kernel Panic issues with the previous 6.1.3 and 5.2.13 sensors provided for CD release. We are in the process of updating these sensors to contain support for these security updates as well before making these sensors generally available. As such, we are delaying the Jan 29th date for generally availability but plan to make these sensors available in early February. More information around updated timelines will be provided to this post as it becomes available.

~ Gino

red

I really wish you'd send an email when things like this are going to happen and not expect us to be reading every thread on this forum.

I've woken up this morning to a mass-crash event which is going to result in a mass CB de-install and may result in the company being kicked from all environments.

Seriously guys.

Hi Gino - might I suggest a proactive email to your CB Response customers? Bonus if you can target folks who run the OSX agent.

I would really like a way to subscribe to agent updates for what I use, either an email list or RSS feed or something. Hoping we catch this stuff in the forums is not a great way to communicate important updates like this.

red - as the new Product Manager for Cb Response - I agree that we need to begin using emails to communicate status for issues like what we've seen with our MacOS sensor.  I apologize for the fact that users did not receive this information in a timely fashion.  I will work with our teams to address this going forward - this will include receiving notifications via email.

Article Information
Author:
Creation Date:
‎01-18-2018
Views:
8902
Contributors