Documentation & Downloads

 View Only

Bypass of Cb Protection Tamper Protection

By Tim Smith posted Sep 29, 2016 03:04 PM

  

Issue

It is possible to bypass Cb Protection’s tamper protection, enabling a malicious actor to:

  • Run a malicious file
  • Prevent the startup of the Cb Protection agent or the server

Details

One of the responsibilities of Tamper Protection is to prevent registry modifications involving the agent’s and server’s binaries. In Microsoft Windows 64-bit operating systems, Tamper Protection is protecting the wrong registry keys. A malicious actor can exploit this flaw to define a bogus debugger entry and run a malicious file or prevent the startup of the agent or server.

More details can be found at https://community.carbonblack.com/message/11790

Workaround

To address this vulnerability now, while we work to address this within the product, you can create a Registry rule. The Registry rule will need to block modifications to the following keys:

HKLM\software\microsoft\windows nt\currentversion\image file execution options\*parity.exe*

HKLM\software\microsoft\windows nt\currentversion\image file execution options\*notifier.exe*

HKLM\software\microsoft\windows nt\currentversion\image file execution options\*timedoverride.exe*

HKLM\software\microsoft\windows nt\currentversion\image file execution options\*dascli.exe*

HKLM\software\microsoft\windows nt\currentversion\image file execution options\*crawler.exe*

HKLM\software\microsoft\windows nt\currentversion\image file execution options\*parityserver.exe*

HKLM\software\microsoft\windows nt\currentversion\image file execution options\*parityreport.exe*

HKLM\software\microsoft\windows nt\currentversion\image file execution options\*cb.exe*

If you need assistance in creating this rule, please contact technical support.

Solution

We have identified the changes necessary for the product and are planning to deliver the fix in Cb Protection 7.2.3 Patch 3 which is scheduled for release in the middle of October.

0 comments
0 views

Permalink