Possible Local Escalation of Privilege Vulnerability OS X running Carbon Black Response
A vulnerability has been reported by a Carbon Black Response customer related to directory permissions set by the Carbon Black Response Installer when installing on MacOS.
The Carbon Black Response Installer leaves the /Application/CarbonBlack directory owned by <user> wheel with elevated permissions. This allows a process running as the user to replace the CbOsxSensorService with another file which can then be invoked by launchd as root/privileged.
Change the permissions of /Applications/CarbonBlack to be root:wheel. For example from the terminal:
sudo chown root:wheel /Applications/CarbonBlack
Carbon Black will release a fix in our next release of the OS X Sensor.