Critical Update - EDR Binary Detonation Integrations
Posted on October 16, 2017
We have discovered a critical issue with certain versions of the EDR Binary Detonation integrations released in the last month. A patch that was rolled out to the Binary Detonation integrations in September erroneously submitted corrupt files to the binary detonation providers, potentially resulting in invalid responses from the analysis platform. No sensitive information was leaked as part of this bug. Specifically, the first five bytes of the file were missing on every submission of a file to a binary detonation appliance.
As soon as we identified the issue on Friday, October 13, we quickly re-issued each integration to fix the issue. The affected versions are listed at the end of this note.
We encourage all on-premise users of the EDR Binary Detonation Integrations listed below to upgrade to the latest version as soon as possible. We are reaching out to affected EDR Cloud customers and scheduling the upgrades to their connectors as necessary.
To determine the versions of your integrations, run the following command on your EDR server (or wherever you are running the integration code):
rpm -q -a | grep python-cb- | grep connector
Affected versions:
Integration Name | Affected Version | Fixed Version |
---|---|---|
python-cb-virustotal-connector | 1.0-1, 1.0-2, 1.0-3 | 1.0-4 |
python-cb-bluecoat-connector | 1.2-6 | 1.2-7 |
python-cb-cyphort-connector | 2.2-4 | 2.2-5 |
python-cb-lastline-connector | 1.2-8, 1.2-9 | 1.2-10 |
python-cb-wildfire-connector | 2.5-7, 2.5-8 | 2.5-9 |
python-cb-yara-connector | 1.3-0, 1.3-1 | 1.3-2 |
python-cb-vmray-connector | 1.1-5, 1.1-6 | 1.1-7 |
If you have affected connectors, run:
yum clean all
to update the OpenSource repository, then:
yum upgrade <integration name>
for each affected integration.
The issue has been fixed in the common Cb Integration code, version 0.9.2.