Access official resources from Carbon Black experts
Product | Cb Response |
Version Reported | macOS sensor 5.2.7+, 6.0.4+ |
Version Resolved |
|
Severity Rating | Important |
Exploitability | Low |
Remediation - Cloud | No Immediate Action - all cloud services patched |
Remediation - On Premise |
|
Cb has identified a race condition in Cb Response macOS sensor versions 5.2.7+ and 6.0.4+. In narrow circumstances this can result in arbitrary files being categorized as binary executables. For any Cb Response customer who has opted in to upload files to VirusTotal, content files may have been unintentionally transmitted to VirusTotal.
Vulnerable sensors may miscategorize content files as executable content when the following conditions are present:
Cb Response customers (cloud or on-prem) with a macOS sensor matching these conditions that have also opted into sharing with VirusTotal may have had content files unintentionally transmitted to VirusTotal.
Rating Type | Rating |
Severity | Important |
Exploitability | Low |
Severity is important because the condition may result in content files being uploaded from endpoints to VirusTotal.
Exploitability is low because it requires both non-standard configuration and a specific set of device conditions to trigger the race condition. Based on our empirical observations, only a small fraction of the vulnerable macOS sensors deployed have miscategorized files.
Carbon Black has made a patch available for Cb Response Server versions 6.1.2 and 5.3.1. This patch ensures that only executable files can be uploaded to the Cb CDC.
Carbon Black will also provide a patch for the macOS sensor. This will include a fix for the root cause issue.
Carbon Black has contacted every customer that had uploaded one or more unintended files and will make those files available for their review.
Based on our empirical observations so far, the environmental conditions required to trigger the race condition occur rarely. Only a small fraction of the vulnerable macOS sensors deployed have miscategorized files.
Patches are available from support for Response server versions 5.3.1 and 6.1.2.
If you disable sharing with VirusTotal, no files will be transmitted to the VirusTotal service.
If you disable collection of binaries from your macOS endpoints, modloads will be reported, including those from potentially unintended files, but the files will not be collected. This will also disable collection of binary files from newly launched processes.
If you disable collection of modloads, no modloads will be reported and their binaries will not be captured. Binary files from newly launched processes will continue to be collected as normal.
Sincere thanks to Jon Kaltwasser (@jonkaltwasser) from Stripe for his report that was the initial indication of the bug.
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.