EDR: Unable to Establish LiveResponse Session to Sensors in Group
search cancel

EDR: Unable to Establish LiveResponse Session to Sensors in Group

book

Article ID: 287366

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Session times out when attempting to connect:
    • User-added image
  • Error observed in /var/log/cb/liveresponse/debug.log:
2021-01-06 13:08:47 [30443] <err> cb.liveresponse.app - Exception on /sensor/cblr/3 [POST]
Traceback (most recent call last):
File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/flask/app.py", line 2447, in wsgi_app
response = self.full_dispatch_request()
File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/flask/app.py", line 1952, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/flask/app.py", line 1821, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/flask/_compat.py", line 39, in reraise
raise value
File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/flask/app.py", line 1950, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/flask/app.py", line 1936, in dispatch_requestreturn self.view_functions[rule.endpoint](**req.view_args)
File "/usr/share/cb/virtualenv/lib/python3.8/site-packages/cb/liveresponse/lr_sensor_blueprint.py", line 69, in wrapped_f
File "/usr/lib64/python3.8/uuid.py", line 169, in _init_
raise ValueError('badly formed hexadecimal UUID string')

Environment

  • EDR Server: 7.3.0, 7.4.0, 7.4.1

Cause

  • Certificates starting with "00" can have trouble using LiveResponse to communicate from server to sensor.  This is being fixed in an upcoming EDR Server build via CB-34063.

Resolution

  • Keep in mind this workaround is for customers having a widespread issue of not being able to LiveResponse into sensors.  If an entire group of sensors cannot connect via LiveResponse and show the error above in the logs when attempting to do so, please use this workaround: 
/usr/share/cb/cbssl sensor_certs --revoke --group-id <id of group effected>
  • If this does not resolve the issue, please contact VMWare Carbon Black Support.
Powered by Wolken Software