Pentesting firm DirectDefense announced yesterday that it found a vulnerability in Carbon Black’s Cb Response product, calling it the “world’s largest pay-for-play data exfiltration botnet.” The vulnerability lies in Cb Response’s use of VirusTotal for file scanning to determine whether they’re ‘good’ or ‘bad’. As VirusTotal sells its database (including such scanned files), it is exposing possible confidential data from Cb Response’s customers to third parties, some of which could use it for malicious purposes. The feature is turned-off by default in Cb Response and its enablement warns customers of VirusTotal public-posting and sharing practices.
Dear Carbon Black team,
As a fellow vendor in the security and incident response space, we can only imagine what it would be like to receive such bold claims against your product. We read the blog post, the press release, your response, their counter-response…and have felt for you. The thought of having to deal with a PR crisis of this kind must be quite the way to start an otherwise uneventful Wednesday.
First off, we are all for an industry that’s collaborative, and are disappointed that DirectDefense didn’t notify you in advance of their report. We know this must feel like a punch below the belt, and hope not to ever be on the receiving end of a similar punch. We encourage researchers, analysts, and everyone in the industry to follow protocol and do proper notification of vulnerabilities and flaws found in security products prior to their broadcasting, as more often than not, security vendors will fix the flaw immediately. After all, we are all working toward the same goal: keeping organizations safe.
We are also aware that the feature in question is turned off by default in your product and that customers are warned when they choose to turn it on. This is standard practice, and we’re glad you are following it. That said, we would strongly suggest being careful about recommending the use of VirusTotal’s file-scanning capabilities in your demos, marketing materials, and customer meetings. You may not know this, but some of us at Secdo have been at the other side of the table prior to joining our company, and were once buyers of software like yours. Had we considered buying your product and followed your guidance, one of our previous companies could’ve easily been listed in DirectDefense’s report (under a pseudonym like “Global X Type of Company” of course), and trust us—all hell would’ve broken loose.
And don’t get us wrong, Secdo also uses VirusTotal in its workflow. It’s a great, super-quick way to know if an MD5 hash is ‘bad’, and customers love it. But we most certainly don’t use it to scan our customers’ files—regardless of it being optional or set on by default—as we could be indirectly putting their sensitive data in jeopardy. That’s something we don’t want to play with and why our platform’s file scanning feature does not require having our customers’ sensitive data leave their premises.
So what’s next? We don’t know how this will all unfold, but we are sure you’ll recover from it, as you have before. We wish you the best, and as we said before, we've got your back.
The SECDO team