CROWDSTRIKE FALCON BSOD ISSUE, SECURITY BREACH OR TECHNICAL ISSUE?

Anosike Chinaza Jesse

Category: Technology

22nd July 2024

CROWDSTRIKE FALCON BSOD ISSUE, SECURITY BREACH OR TECHNICAL ISSUE?

On the 19th of July, 2024 at 04:09 Coordinated Universal Time, CrowdStrike deployed an update to the sensor configuration on Windows systems as part of their ongoing operations. Updates to the sensor configuration are a regular part of the defence mechanisms of the Falcon platform. This particular update caused a logic error that led to a system crash and a blue screen (BSOD) appearance on the affected systems.

The sensor configuration update, which led to the system crash, was fixed on Friday, July 19, 2024, at 05:27 Coordinated Universal Time.

Effect
Clients using Falcon sensors for Windows version 7.11 and higher, who were connected to the internet between Friday, July 19, 2024, 04:09 UTC, and Friday, July 19, 2024, 05:27 UTC, might experience an impact.
Computers utilising Falcon sensor for Windows 7.11 and above that received the updated setup from 04:09 UTC to 05:27 UTC were vulnerable to a system failure.

Configuration File Primer
The configuration mentioned above files are known as "Channel Files" and form a component of the Falcon sensor's behavioural protection mechanisms. Changes to Channel Files are a regular aspect of the sensor's functioning and happen multiple times daily in reaction to new tactics, techniques, and processes identified by CrowdStrike. This is not a recent procedure; the framework has been in operation since Falcon was first introduced.

Technical Details
On Windows systems, Channel Files reside in the following directory:
C:\Windows\System32\drivers\CrowdStrike\
and possess a file name that commences with “C-”. Each channel file receives a specific number as a distinct identification. The affected Channel File in this incident is 291 and will possess a filename that starts with “C-00000291-” and concludes with a .sys extension. Despite Channel Files ending with the SYS extension, they are not kernel drivers.
Channel File 291 controls how Falcon evaluates named pipe1 execution on Windows systems. Named pipes are used for normal, interprocess or intersystem communication in Windows.
The update that occurred at 04:09 UTC was designed to target newly observed, malicious-named pipes being used by common C2 frameworks in cyberattacks. The configuration update triggered a logic error that resulted in an operating system crash.

Channel File 291
CrowdStrike has corrected the logic error by updating the content in Channel File 291. No additional changes to Channel File 291 beyond the updated logic will be deployed. Falcon is still evaluating and protecting against the abuse of named pipes.

This is not related to null bytes contained within Channel File 291 or any other Channel File.

so from the details above we can all see that it was not a hack or a security breach but a logic issue that stemmed from the foundational technology used
as a result of not using a very memory-safe technology
the issue has been corrected and things back to normal
there is still a lot of scare about the recurrence but that is highly unlikely

This Issue did not affect macOS and Linux users because they do not use channel file 29