Alert Stop Bad Rabbit Ransomware In Its Tracks. Learn more

Carbon Black Solutions Currently Compatible With Major OS Vendor Patches on Meltdown & Spectre

MS
download
January 5, 2018 / Editorial Staff

Recently, researchers have released details on two classes of vulnerabilities in modern CPU hardware. These vulnerabilities affect unprecedented numbers of systems and are some of the more difficult issues to address in recent history.

These vulnerabilities, dubbed Meltdown and Spectre, may be exploited to read privileged memory between security contexts on impacted machines. Successful exploits may expose sensitive information or allow attackers to elevate privileges.

Carbon Black Compatibility with OS Vendor Patches

We are focused on testing our products for compatibility issues with OS vendor patches as they are being released. At this time there are no known compatibility issues among any of the Cb products and the patch that was released from MSFT or any other OS vendors’ patches.

Windows Compatibility

Cb Defense

Cb Response

Cb Protection

Compatible with Windows patch?

YES

YES

YES

Is the registry key required by Microsoft prior to installing the patch?

YES

NO

(NOT REQUIRED BY MSFT)

NO

(NOT REQUIRED BY MSFT)


Notes:  

 

  • This applies to the latest versions of Cb software.
  • Carbon Black will not be automatically pushing out the registry key to all systems. We recommend leveraging your existing IT tooling to perform this task with the understanding that you may have co-existing security software that may not be compatible with the patch at this time. Please ensure that all AV software is compatible before pushing the registry key. If Carbon Black products are the only products installed, you are safe to push the registry key.  

 

Carbon Black Cloud Infrastructure Patching

We are mitigating the risk to our cloud environment. The primary concern in a cloud environment is preventing colocated VMs on the same hardware from unauthorized data access across VM boundaries, by exploiting these vulnerabilities. This concern has already been addressed by Amazon with updated kernel patches to their virtualization infrastructure and subsequent reboots of all affected instances. As of Jan 4, all Cb instances in the AWS infrastructure have been rebooted as necessary to protect from this concern.

We continue work to patch our operating systems, following Amazon’s update recommendations as well as OS vendor supplied recommendations for securing our AWS infrastructure.  

Current Status

As we continue to mitigate the risk, we are taking a deliberate and diligent approach to applying OS patches to ensure there are no stability and performance issues.  We continue to monitor our OS vendors for available patches and will be following our internal patching process as they become available.

Recommended Actions

As a cloud service provider, Carbon Black is handling applying patches during our regularly scheduled maintenance windows and customers can expect maintenance communications as appropriate.

Note:  If you are running your own Cb Response or Cb Protection instance,you will need to patch the host OS with the relevant vendor patches as they become available. We continue to test compatibility and performance impact of the new OS patches with server components and will provide updates in the future.

Customer Protection

These vulnerabilities are interesting and novel in several ways but over the past few months the industry has done a lot of work to get ahead of the problem. There are patches available from OS vendors and our primary recommendation (as in addressing any vulnerability) is to apply the fixes available from your operating system and hardware vendors. This is the best way to protect your environment from known vulnerabilities. Furthermore, the exploits for these vulnerabilities are local, and part of a larger attack chain. Detecting and preventing any attacks using these techniques at all phases should be the goal.

These vulnerabilities are fairly unique as they reside within logic implemented in the CPU hardware itself. While operating systems can be patched to make exploitation scenarios more difficult and reduce the impact of exploits, it is illustrative of the challenges presented by relying on trust boundary enforcement and trust validation at lower levels in the system. Essentially, if the processor will not enforce trust boundaries or implements conditions where information is leaked between trust boundaries, there is no practical detection or defense that can implemented at higher layers of the system to prevent such leaks.

In light of these vulnerabilities, our recommendations regarding endpoint security remain unchanged; the best protection against attacks before they happen is to minimize your attack surface, first by patching known vulnerabilities with available fixes, and next by preventing untrusted code from running on systems.  

For users of Cb Defense this means following the best practices for improving policies. For Cb Protection users the best way to minimize attack surface is to get as many systems as possible into high enforcement. Advanced attacks that take advantage of vulnerabilities such as Spectre and Meltdown are not self-contained; they must have preliminary attacks and additional actions which will be detected via Carbon Black.  

Users of Cb Defense and Cb Response should utilize their EDR functions to monitor for attack activity as they always have paying special attention to browser related threats, alerts regarding credential theft, and suspicious network connections.

We are not aware of any weaponization of these techniques in the wild at this time. If any are found, we will update this post and our threat feeds. As malicious binaries leveraging Meltdown and Spectre are discovered, we will update our signatures and reputation data to defend against known threats.  In addition, we recommend customers subscribe to the Vulnerability Update post on the Cb User Exchange for more information pertinent to the Cb Customer base.

We will continue to analyze these vulnerabilities, the associated exploits and all future conditions to determine the best detection methods and ensure Carbon Black products are providing the best security available.

TAGS: Carbon Black / Meltdown / Spectre