Alert Stop Bad Rabbit Ransomware In Its Tracks. Learn more

Corner-Case Bug Potentially Affecting 10 Cb Response Customers

Blog_Image_Lead
Exec-CB-Metallic-Mike-Viscuso
August 18, 2017 / Michael Viscuso

On Thursday, August 10, Carbon Black discovered a corner-case bug potentially affecting 10 Cb Response customers. The bug was introduced in April 2017 and requires a set of specific conditions to occur in order to be triggered.

We have remediated the bug, proactively notified the 10 potentially affected customers, and posted a security bulletin to all customers via our User Exchange (UeX).

Carbon Black takes our customers’ security seriously. We responsibly disclose bugs according to the highest, most transparent industry standards, regardless of a bug’s footprint.

What is the Bug?

In the presence of certain MacOS third-party applications, the Cb Response sensor (v5.2.7+ and v6.0.4+) occassionally miscategorizes some content files as binaries. If a customer configured a computer to upload unknown binaries to a third-party, cloud-based, multi-scanner, these content files would be uploaded to the multi-scanner as well.

Based on our review to date, in order for this corner-case bug to be triggered, all of the following conditions must have occurred:

Cb Response sensor versions 5.2.7+ and 6.0.4+ from April 2017 or later

AND installed on macOS
AND sensor is configured to collect modloads
AND sensor is configured to collect a copy of all binaries
AND sensor is configured to upload unknown binaries to the multi-scanner
AND a content file is opened for processing
AND that content file is marked as “executable” either via file permissions or when mapped into memory
AND that processing takes place during system initialization or high file i/o volume (i.e., a race condition)

Within 24 hours of discovering the bug, we pushed updated logic to our Collective Defense Cloud to prevent content files from being uploaded to the multi-scanner.

We have already notified the 10 potentially affected customers.  We are securely providing them with a copy of content files uploaded to the multi-scanner.

On Sunday, August 13, we were informed these content files were removed from the multi-scanner’s repository.

We take customer security very seriously and continue to work with those who have experienced this corner-case bug.

Acknowledgements

Sincere thanks to Jon Kaltwasser (@jonkaltwasser) from Stripe for his report that was the initial indication of the bug.  

TAGS: Carbon Black / Cb Response / software

Related Posts