Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Please Read: Issue identified during Cb Response OS X Sensor Upgrade

Please Read: Issue identified during Cb Response OS X Sensor Upgrade

Hello All,

This notice addresses an issue identified in Cb Response affecting OS X sensor upgrades.

  • A race condition exists when upgrading from OS X sensor version 5.2.0.161003  -> 5.2.3 that could result in a kernel panic.
    • Details: When upgrading, if the 5.2.0.161003 sensor does not unload kernel extensions within ~30 seconds, the upgrade will fail and cause a kernel panic.
    • Other important information:
      • A clean install of the OS X 5.2.3 sensor will be successful
      • Upgrades from the latest 5.1.1 Patch 4 OS X sensor (5.1.1.160915.1527) -> 5.2.3 will be successful
      • Upgrades from earlier 5.2.x OS X release candidates (dated earlier than 16/10/03) -> 5.2.3 will be successful
      • This issue only affects upgrades from 5.2.0.161003

The Cb Response Team recommends the following:

  • If you do not require Mac OS 10.12.1 support and are currently running the affected sensor (5.2.0.161003), you should not upgrade at this time.
  • If you are on the 5.1.1 patch 4 OS X sensor and require Mac OS 10.12.1 support, you should upgrade to the 5.1.3.161104.2049 sensor currently available via the standard Carbon Black YUM repositories. This version provides 10.12.1 support.
  • If you are on 5.1.1 and would like to upgrade to 5.2.x, you can upgrade to the 5.2.3 sensor with no issue.
  • Last, if you are on the 5.2.0.161003 sensor, and require 10.12.1 support, you should uninstall the affected sensor, reboot the endpoint, and perform a clean install of the 5.2.3 sensor.
    • Note: When performing the manual uninstall, you can use the '-d' flag to avoid duplicate sensor ids in UI after reinstall.

The team is working diligently to provide a fix to the issue. We regret any inconvenience.  Please watch this post for updates and comment back with any questions or concerns.

Thanks,

Justin

Technical Product Manager - Cb Response

0 Kudos
Comments

Hi Justin - couple of questions regarding this.  The version you have listed is very similar to the version I see in my console, Specifically I'm seeing 5.2.0.61003 but in your announcement you have it listed as 5.2.0.161003.  Can you confirm if they are different version are the same?  Assuming they are the same version, is the kernel panic caused only by the upgrade process.  We are starting to experience kernel panics in our environment on OSX Sierra systems running 5.2.0.61003 and want to understand whether this has certainly been fixed before I do a mass add/remove of the sensor to get to a later version. 

Article Information
Author:
Creation Date:
‎12-01-2016
Views:
1085