Technical details about current outage CrowdStrike has released a sensor configuration update for Windows systems
What happened?
At 04::09 UTC 19 July 2024, as part of ongoing activities, CrowdStrike released a sensor configuration update for Windows systems.
Updating sensor configuration is an integral part of the Falcon platform's protection mechanism.
This configuration update caused logic errors that resulted in system crashes and blue screens (BSOD) on affected systems.
The sensor configuration update that caused the system to crash was fixed Fri Jul 19 2024 05: 27 UTC.
This issue is not the result of or related to a cyberattack.
Impact
Customers running Falcon Sensor for Windows version 7.11 or later online from Friday, 19 Jul 2024 04::09 UTC to Friday, 19 Jul 2024 05::27 UTC may be affected effect.
Systems running Falcon Sensor for Windows 7.11 or later that downloaded updated configuration between 04: 09 UTC and 05: 27 UTC – are susceptible to system crashes.
Primer Configuration Files
The configuration files mentioned above are called "channel files" and are part of the behavioral protection mechanism used by the Falcon sensor. Channel file updates are part of normal sensor activity and occur multiple times per day in response to new tactics, techniques, and processes discovered by CrowdStrike. This is not a new process; The architecture has been around since Falcon's founding.Technical Details
On Windows systems, channel files are located in the following directory: C:\Windows\System32\drivers\CrowdStrike\ and have file names that begin with "C-".
Each channel file is assigned a number as a unique identifier.
The channel file affected in this event is 291 and will have a file name that begins with "C-00000291-" and ends with the .sys extension.
Although channel files end with the SYS extension, they are not kernel drivers. Channel file 291 controls how Falcon evaluates named channel 1 executions on Windows systems. Named pipes are used for general, inter-process, or inter-system communication in Windows.
The update performed at 04: 09 UTC is designed to target newly discovered maliciously named pipes used by popular C2 frameworks in cyberattacks. Updating the configuration caused a logic error that resulted in an operating system crash.
Channel File 291
CrowdStrike has fixed the logic by updating the contents of Channel File 291. No additional changes to Channel File 291 other than the updated logic will be implemented. Falcon is still evaluating and protecting against named pipe abuse. This is unrelated to the null byte present in Channel File 291 or any other channel file.
Fix
The latest recommendations and troubleshooting information are available on our blog or on the support portal. We understand that some customers may have specific support needs and request that they contact us directly. Systems that are not currently affected will continue to operate as expected, will continue to provide protection, and will not be at risk of experiencing this event in the future. Systems running Linux or macOS do not use Channel Files 291 and are not affected.
Root Cause Analysis
We understand how this issue occurred and are performing a thorough root cause analysis to determine how this logic flaw occurred. This effort will continue. We are committed to identifying any fundamental or workflow improvements we can make to strengthen our processes. We will update our findings in the root cause analysis as the investigation progresses.
.jpg)
.webp)
0 కామెంట్లు
మీ కామెంట్స్ పరిశీలించబడతాయి. ఆమోదం పొందినవి ప్రచురించబడును.