CrowdStrike Reveals Root Cause Analysis of Global Outage

• CrowdStrike has published its root cause analysis about the update crash that turned off millions of Microsoft Windows devices globally.
• The crash occurred because there was a mismatch between the 21 inputs passed to the CrowdStrike content validator and the 20 supplied to the content interpreter.

CrowdStrike has released a detailed technical analysis report about the vulnerability in the Falcon Sensor update related to the Channel File 291 incident, which resulted in global outages of Microsoft Windows devices.

On July 19, an out-of-bounds (OOB) memory read in CrowdStrike’s Falcon Sensor caused a Windows kernel crash. The security firm investigated and found no risk of remote code execution or privilege escalation. The report’s findings were validated by third parties and peer-reviewed for accuracy.

Root Cause

The issue arose from the sensor processing 20 inputs instead of the expected 21, leading to the OOB read. Even with an attacker controlling the memory location, The bug does not allow memory writes or control over program execution even if attackers control the memory location. The read value was used only as a regular expression string, with no identified exploitable code paths.

Mitigation Measures

CrowdStrike’s report also highlighted the sensor’s robust defenses against tampering, which include:

• Certificate pinning: This ensures that communication with CrowdStrike servers is secure. CrowdStrike specifies which Certificate Authority (CA) or SSL/TLS (secure sockets layer/ transport layer security) certificate should be used for a secure server connection, preventing man-in-the-middle attacks.
• Checksum validation: This measure verifies the integrity of downloaded files against a cryptographically calculated value.
• Access control lists (ACLs): ACLs restrict access to channel files and require full administrative privileges to modify.
• Anti-tampering detection: Alerts are triggered if unauthorized attempts are made to modify sensor files.
• The content validator is being modified to add new checks to ensure that content does not include matching criteria that match over more fields than are being provided to the content interpreter.
• The content validator will only allow wildcard matching criteria in the 21st field, preventing out-of-bounds access.
• Every new template instance is to be tested, and the content configuration system has been updated with additional checks.
• The Falcon platform has also been updated to give customers greater control over rapid-response content.

Execution Environment Specialization

The Falcon sensor’s code execution environment is heavily restricted. Compared to general-purpose VMs (virtual machines), it is limited to pattern matching and cannot perform arbitrary memory access, memory allocation, or arithmetic operations. Consequently, the risk of exploitation is minimized.

Takeaways

CrowdStrike’s analysis confirms that the global Microsoft outage arising from the Channel File 291 incident revealed a bug. However, the bug cannot be exploited for malicious purposes owing to layered security controls and a restricted execution environment. Furthermore, the cybersecurity firm has also invited members of the cybersecurity community to contribute to system improvements going forward via its Bug Bounty program.

LATEST NEWS STORIES

• Google Sunsets Chromecast; Unveils TV Streamer and Nest Learning Thermostat
• Samsung Launches the Thinnest LPDDR5X DRAM for On-Device AI Applications
• Interpol Disrupts Massive Business Email Scam, Recovers Over $40 Million