Details:
Product | Cb Response |
Version Reported | macOS sensor 5.2.7+, 6.0.4+ |
Version Resolved | - macOS sensor patch release date TBD
- Response Server patch released for Cb Response Server versions 5.3.1 and 6.1.2.
|
| Severity Rating | Important |
| Exploitability | Low |
| Remediation - Cloud | No Immediate Action - all cloud services patched |
| Remediation - On Premise | - macOS sensor patch release date TBD
- Response Server patch patched released for 5.3.1 and 6.1.2. Please contact support to obtain the patch.
|
Executive Summary
Cb has identified a race condition in Cb Response macOS sensor versions 5.2.7+ and 6.0.4+. In narrow circumstances this can result in arbitrary files being categorized as binary executables. For any Cb Response customer who has opted in to upload files to VirusTotal, content files may have been unintentionally transmitted to VirusTotal.
Vulnerable sensors may miscategorize content files as executable content when the following conditions are present:
- Cb Response sensor versions 5.2.7+ and 6.0.4+ from April 2017 or later
- AND installed on macOS
- AND sensor is configured to collect modloads (on by default)
- AND sensor is configured to collect a copy of all binaries (on by default)
- AND a content file is opened for processing
- AND that content file is marked as “executable” either via file permissions or when mapped into memory
- AND that processing takes place during system initialization or high file i/o volume (i.e., a race condition)
Cb Response customers (cloud or on-prem) with a macOS sensor matching these conditions that have also opted into sharing with VirusTotal may have had content files unintentionally transmitted to VirusTotal.
Type and Rating
Rating Type | Rating |
Severity | Important |
Exploitability | Low |
Severity is important because the condition may result in content files being uploaded from endpoints to VirusTotal.
Exploitability is low because it requires both non-standard configuration and a specific set of device conditions to trigger the race condition. Based on our empirical observations, only a small fraction of the vulnerable macOS sensors deployed have miscategorized files.
Remediation
Carbon Black patched the Collective Defense Cloud (CDC) on 8/11/2017 to ensure only executable files are uploaded to VirusTotal. Executable files are defined narrowly to include only Win32 Portable Executable (PEs), macOS Mach-O and and Linux ELF formatted files. This patch prevents any content files from being forwarded to VirusTotal, regardless of the patch status of Response Servers or Sensors.
Carbon Black has made a patch available for Cb Response Server versions 6.1.2 and 5.3.1. This patch ensures that only executable files can be uploaded to the Cb CDC.
Carbon Black will also provide a patch for the macOS sensor. This will include a fix for the root cause issue.
Carbon Black has contacted every customer that had uploaded one or more unintended files and will make those files available for their review.
Mitigating Factors
Based on our empirical observations so far, the environmental conditions required to trigger the race condition occur rarely. Only a small fraction of the vulnerable macOS sensors deployed have miscategorized files.
Workarounds
Patches are available from support for Response server versions 5.3.1 and 6.1.2.
If you disable sharing with VirusTotal, no files will be transmitted to the VirusTotal service.
If you disable collection of binaries from your macOS endpoints, modloads will be reported, including those from potentially unintended files, but the files will not be collected. This will also disable collection of binary files from newly launched processes.
If you disable collection of modloads, no modloads will be reported and their binaries will not be captured. Binary files from newly launched processes will continue to be collected as normal.
Acknowledgements
Sincere thanks to Jon Kaltwasser (@jonkaltwasser) from Stripe for his report that was the initial indication of the bug.
