Carbon Black: Bug Shared Content Files with VirusTotalBug Has Been Patched; 10 Customers on MacOS Affected
Carbon Black rolled with the punches last week after it was accused of exposing customer data via a so-called "architectural flaw" in its endpoint detection product by Denver-based Direct Defense (see Here's How Ugly Infosec Marketing Can Get).
There was no flaw. But a company review prompted by the charge has, in fact, uncovered a now-patched bug that did expose customer data, albeit on a small scale.
About 10 of Carbon Black's 3,000 customers are affected."
The finding again involves a function that many vendors have incorporated into their endpoint detection products. The function sends an unknown file to VirusTotal, a so-called multi-scanner from Google.
VirusTotal runs a file through more than 60 other anti-malware scanners from various vendors. That sharing, however, usually only occurs if customers have selected the option to upload files because sharing could result in data exposure.
Carbon Black took a closer look at Cb Response to check for bugs after DirectDefense's accusation. It found Cb Response would sometimes share content files with VirusTotal in very specific circumstances. About 10 of Carbon Black's 3,000 customers are affected.
Those customers have been notified, and Carbon Black has provided the customers with copies of the files, Michael Viscuso, Carbon Black's co-founder and CTO, writes in a blog post. The files have now all been removed from VirusTotal as of Aug. 13, he says.
"Carbon Black takes our customers' security seriously. We responsibly disclose bugs according to the highest, most transparent industry standards, regardless of a bug's footprint," Viscuso writes in the blog.
The bug, introduced in April, only affects MacOS. A sensor within Cb Response mistakenly classified some content files as binaries before flicking them to VirusTotal. The files were only shared if customers had already enabled sharing.
The situation could potentially result in the exposure of sensitive data, depending on what is in the files. VirusTotal subscribers have access to its full cache of files, which can be downloaded for analysis.
The affected versions of Cb Response are v5.2.7+ and v6.0.4+, Viscuso writes. For the bug to be triggered, customers must have the sensor configured to collect modloads and all binaries and to upload unknown ones to a multi-scanner, among other conditions.
Thanks for Sharing, But...
Sharing binaries with VirusTotal and other scanners is an incredibly popular feature in endpoint detection products. It's essentially a backstop: If a particular product can't reach a verdict on whether a binary is malicious, the decisions made by other vendors are useful input.
Carbon Black's kerfuffle with DirectDefense was rooted in that sharing. DirectDefense found sensitive data on VirusTotal and traced the uploaded files to Carbon Black. It alleged the situation amount to the "world's largest pay-for-play exfiltration botnet."
The truth was not nearly as hyperbolic. Some of Carbon Black's customers had switched on the feature to share files with VirusTotal. The feature is off by default. But apparently those organizations did not realize they were sharing binaries containing AWS credentials, Slack API keys, Atlassian single sign-on credentials, Google Play keys and Apple Store IDs.
Over several months, DirectDefense and an unnamed partner notified organizations that were affected, which included a large media streaming company, a social network and a financial services firm. But DirectDefense did not notify Carbon Black before publishing its blog post, which many took as a cheap shot that contradicted the industry convention of responsible disclosure.
DirectDefense CEO Jim Broome told Information Security Media Group that the company chose a sensationalist tone after failing to get more attention to the issue of the potential data leaks that could occur by sharing binaries. Despite the criticism, DirectDefense hasn't modified its blog post.
What's the Lesson?
Carbon Black is fortunate that the bug was isolated to very specific use cases.
The affected organizations presumably knew they were voluntarily sharing and were conscious of the risks. But it's a strong reminder that dependency on other suppliers, which is virtually impossible to avoid, can result in data mishaps.