Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Possible Local Escalation of Privilege Vulnerability OS X running Carbon Black Response

Possible Local Escalation of Privilege Vulnerability OS X running Carbon Black Response

Issue

A vulnerability has been reported by a Carbon Black Response customer related to directory permissions set by the Carbon Black Response Installer when installing on MacOS.

The Carbon Black Response Installer leaves the /Application/CarbonBlack directory owned by <user> wheel with elevated permissions. This allows a process running as the user to replace the CbOsxSensorService with another file which can then be invoked by launchd as root/privileged.

Recommended Workaround

Change the permissions of /Applications/CarbonBlack to be root:wheel. For example from the terminal:

sudo chown root:wheel /Applications/CarbonBlack

Important Note(s)

Carbon Black will release a fix in our next release of the OS X Sensor.

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-30-2016
Views:
522
Contributors