Cybersecurity company CrowdStrike has released the root-cause analysis of the Falcon Sensor software update incident, which rendered millions of Windows machines inoperable globally.
The root-cause study of the Falcon Sensor software update disaster, which rendered millions of Windows devices worldwide unusable, has been made public by cybersecurity firm CrowdStrike.
As first noted in its Preliminary Post Incident Review (PIR), the “Channel File 291” incident has been linked to a content validation problem that developed following the introduction of a new template type to facilitate visibility into and detection of innovative attack methods that take advantage of named pipes and other Windows interprocess communication (IPC) mechanisms.
It is specifically connected to an issue with a content update that was sent over the cloud; according to the business, it was a “confluence” of multiple errors that caused the crash, the most notable of which was a discrepancy between the 21 inputs that were sent to the Content Validator through the IPC Template Type as opposed to the 20 supplied to the Content Interpreter.
According to CrowdStrike, the parameter mismatch was not found during the “multiple layers” of the testing process, partly because the initial IPC template instances that were provided in March and April 2024 and the testing procedure used wildcard matching criteria for the 21st input.
Put another way, the first IPC Template instance to utilize the 21st input parameter field was the updated version of Channel File 291 that was pushed on July 19, 2024. This was not detected until the Rapid Response Content was sent to the sensors because there was no explicit test case for non-wildcard matching criteria in the 21st field.
“Sensors that received the new version of Channel File 291 carrying the problematic content were exposed to a latent out-of-bounds read issue in the Content Interpreter,” the business stated.
“The new IPC template instances were assessed, with a comparison against the 21st input value, at the subsequent IPC notification from the operating system. The content interpreter had only twenty values in mind. As a result, the attempt to access value 21 led to a system crash by causing an out-of-bounds memory read that went past the end of the input data array.”
In order to solve the issue, CrowdStrike noted that in addition to checking the number of input fields in the template type at sensor compilation time, it also implemented runtime input array limits checks for the content interpreter to prevent out-of-bounds memory reads.
“The added bounds check prevents the content interpreter from performing an out-of-bounds access to the input array and crashing the system,” it stated. “The additional check adds an extra layer of runtime validation that the size of the input array matches the number of inputs expected by the Rapid Response Content.”
Furthermore, CrowdStrike announced that it will include test cases for non-wildcard matching criteria for every field in all (future) template types as part of an improvement in test coverage throughout template type development. It is anticipated that a portion of the sensor updates will also close the following gaps:
To make sure that material in template instances does not contain matching criteria that match over more fields than are being supplied as input to the material interpreter, the content validator is being updated with new checks.
The change to the Content Validator restricts wildcard matching criteria to the 21st field, preventing out-of-bounds access to sensors that can only handle 20 inputs.
Even though the initial template instance is tested using the template type at creation, additional test methods have been added to the content configuration system to guarantee that every new template instance is tested.
Updates to the Content Configuration System include acceptance checks and more deployment levels.
Updates to the Falcon platform provide users with more flexibility over how Rapid Response Content is delivered.
Not to mention, CrowdStrike announced that it has hired two impartial outside software security providers to examine the Falcon sensor code in more detail for both security and quality control. Additionally, it is doing an impartial evaluation of the entire quality process, from development to deployment.
Additionally, it has promised to collaborate with Microsoft as Windows provides new methods for carrying out security operations in user space rather than through the use of kernel drivers.
“CrowdStrike’s kernel driver is loaded from an early phase of system boot to allow the sensor to observe and defend against malware that launches prior to user mode processes starting,” it stated.
By giving these kernel capabilities access to current security content (like CrowdStrike’s Rapid Response Content), the sensor may protect systems from a constantly changing threat landscape without requiring modifications to the kernel code. Rapid Response Content is not code or a kernel driver; rather, it is configuration data.”
The root cause investigation was made public at the same time that Delta Air Lines declared it had “no choice” but to sue CrowdStrike and Microsoft for damages after their actions caused severe disruptions, costing the airline an estimated $500 million in lost revenue, as well as additional expenses from thousands of canceled flights.
After receiving criticism, CrowdStrike and Microsoft both issued statements denying any responsibility for the multi-day outage and stating that Delta had turned down their offers of on-site support. This suggests that the carrier may be facing more serious issues than just its Windows machines failing due to a malicious security update.
Also read: Achieving Rapid Outcomes with AI-Driven Cloud Analytics
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.