Carbon Black’s assertion that this only affects Cb Response:
Carbon Black’s response to our post is just more validation of our findings. In general, vendors need to be more careful with how they handle customer data, even if it is an optional feature. As we stated in the blog post, we were unsure if this affected all of Carbon Black’s products, but we were positive this feature existed in Cb Response.
Regarding CB’s optional feature:
Yes, we’ve seen this feature setting in the product and in the manual that stated this is off by default. However, the recommendations or messaging from Carbon Black’s professional services team during the course of installing the product is to turn this feature on to help accelerate the analysis of the file scans.
As CB’s own responses in forums like Reddit state, the feature is a trade off – Enabling it is a risk/benefit tradeoff – the blog post clearly demonstrates the risk, but ignores the benefits.
We agree, but the lack of education to customers or the very least explaining that some systems should be exempt of this feature via policy or leveraging an alternative solution – even Cb Defense.
What seems to have gotten lost in the messaging to customers is the risk posed by enabling this feature on systems that handle or create sensitive data on a daily basis, namely development and automation desktops.
Why we chose to disclose:
Our assertion is, this is not a vulnerability in the product, but an architectural or integration issue between vendors providing a solution to customers. At the end of the day, both solutions are providing a valuable service. The issue is customers are unaware of the implications or threats posed to the confidentiality of their data when features like this are enabled.
We strongly believe in EDR solutions, and we strongly believe in multiscanners. Due to the sensitive nature of data that is sent out of organizations, and the lack of awareness on the part of customers, our goal was to educate users about the risks posed by this architecture.