A bug in VMWare’s Carbon Black endpoint security solution crashed numerous enterprise servers and workstations, the company has confirmed.
More than 50 organizations have so far reported experiencing the Blue Screen of Death (BSOD), and suspected Carbon Black to be at the core of the issue.
The root of the problem appears to be a ruleset VMware deployed to the solution earlier this week, to its Cloud Sensor. The ruleset, 3.6.0.1979 - 3.8.0.398 is what seems to have caused the crashes. Apparently, users running Windows 10 x64, Server 2012 R2 x64, as well as Server 2019 x64, were affected.
Conflict
"VMware Carbon Black is aware of an issue affecting a limited number of customer endpoints, where certain older sensor versions were impacted by an update of our behavioral preventative capabilities,” the company said in a statement. “The issue has been identified and corrected, and VMware Carbon Black is working with impacted customers."
Further investigation uncovered a conflict between Carbon Black and AV signature pack 8.19.22.224.
Publishing a security advisory in the aftermath, VMware explained how “an updated Threat Research ruleset was rolled out to Prod01, Prod02, ProdEU, ProdSYD, and ProdNRT after internal testing showed no signs of issues.” The ruleset has since been rolled back, and deeper analysis is currently underway, it was added.
To organizations that can’t wait for a fix, VMware recommended putting sensors into Bypass mode via Carbon Black Cloud Console, as that allows users to boot the devices and roll back the broken ruleset.
However, the fix doesn’t seem to be working for everyone. Almost 24 hours later, one user commented “still affected - around a dozen endpoints have not recovered, hands seem tied,” further adding that the bypass was applied. “Reboot into safe mode with networking and wait a %undefined time% period. Reboot and see if fixed. Some are - some are not. Repeat & Try again.”
- These are the best business PCs right now
Via: BleepingComputer