Within Cb Protection we have identified an issue in which rules may lose their ability to detect and respond to operations which can lead to security or operational weaknesses. We estimate this issue affected fewer than 4% of customers and we are reaching out to those that we believe have been impacted.
During our QA process we uncovered a defect that could render a rule ineffective because of the removal of action and operations from the rule.
All Cb Protection rules contain Operation and Action fields that tell the agent what to look for and what to do when the agent encounters the operation.
We have determined that in two situations the Operation and Action of a rule can be unintentionally set to detect nothing and do nothing. Those situations occur when:
A rule is edited/modified using the hidden settings that require ShowHiddenCustomRules to be enabled
Modifying or Enabling a Sample rule provided by Carbon Black within Cb Protection 7.2.1+ and then upgrading to 7.2.3 (with the exception of 7.2.3 Patch 4)
Customers running 7.2.1 and later excluding new customers who initially installed 7.2.3 Patch 4.
Known Customer Impact
We estimate this issue has affected less than 4% of our customers.
Depending on the environment and the intention of the rule, the impact will vary.
Affected rules that are designed to report or block will not perform either action. For example, if the Autostart Rule that ships with the product with an action of Report is impacted, it would not report any changes when a registry autostart location was modified. This could be considered a security risk.
Similarly an impacted rule that is designed to allow an application to run on a system configured for High Enforcement would not actually allow the file to execute and result in an unwanted block. While certainly a nuisance, this likely isn’t a security risk.
In both cases the rule did not do what it was intended, however the security impact may vary.
For customers connecting to Cb Collective Defense Cloud (formerly known as SRS), a set of health indicators will be delivered via the cloud to your server running Cb Protection 7.2.1 or later. There are two separate health indicators. One displays rules that you can fix from within the console. The other displays rules that need to be fixed with the assistance of Carbon Black Technical Support. Information will be provided in the alert on how to address any impacted rules.
If the health indicator detects a rule with a missing Operation and Action an alert will display within the console. Conversely, if you do not have any impacted rules, the health indicator will inform you of that as well.
If you are not connecting to the Cb Collective Defense Cloud, you can install the health indicators by running the attached SQL script on your Cb Protection database.
If you have any questions or need assistance with installing the health indicators, please contact Cb Technical Support.