Issue

A vulnerability has been reported by a Carbon Black Response customer related to directory permissions set by the Carbon Black Response Installer when installing on MacOS.

The Carbon Black Response Installer leaves the /Application/CarbonBlack directory owned by <user> wheel with elevated permissions. This allows a process running as the user to replace the CbOsxSensorService with another file which can then be invoked by launchd as root/privileged.

Recommended Workaround

Change the permissions of /Applications/CarbonBlack to be root:wheel. For example from the terminal:

sudo chown root:wheel /Applications/CarbonBlack

Important Note(s)

Carbon Black will release a fix in our next release of the OS X Sensor.