What Happened ?
On July 19, 2024, CrowdStrike experienced an outage due to a logic error in a sensor configuration update for Windows systems, leading to a system crash (BSOD). The issue, affecting Falcon sensor versions 7.11 and above, was resolved within 78 minutes. The problem was linked to a logic error in the sensor's code that incorrectly processed a specific condition, causing the crashes. Systems online during the update window were impacted. The error has been fixed, and a thorough root cause analysis is being conducted to prevent future incidents. No cyberattack was involved.
Impact
Systems running Falcon sensor for Windows 7.11 and above that downloaded the updated configuration from Chennai time 09:30 AM to 11 – were leading to a system crash. Including mine :(
Technical Details
An update targeting malicious named pipes caused a logic error, leading to system crashes. Channel File 291 has been corrected, and no further changes will be made to it. This issue is unrelated to null bytes in any Channel File.
Configuration File Primer
CrowdStrike's "Channel Files" are integral to Falcon's behavioral protection, updated multiple times daily automatically to address new threats. Located at C:\Windows\System32\drivers\CrowdStrike\, these files start with "C-" and end with a .sys extension. Channel File 291 (C-00000291-.sys), controlling named pipe execution evaluation in Windows, was the issue's focal point. Named pipes facilitate interprocess communication in Windows.
Solution
As we know the issue is in ChannelFile 291, You got the solution right?? Yes, lets delete the file
Reboot the host to give it an opportunity to download the reverted channel file. We strongly recommend putting the host on a wired network (as opposed to WiFi) prior to rebooting as the host will acquire internet connectivity considerably faster via ethernet.
If the host crashes again, then:
Boot Windows into Safe Mode or the Windows Recovery Environment
NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
Windows Recovery defaults to X:\windows\system32
Navigate to the appropriate partition first (default is C:\), and navigate to the crowdstrike directory:
C:
cd windows\system32\drivers\crowdstrike
Locate the file matching “C-00000291*.sys” and delete it, yes Delete it for now and forever...
Do not delete or change any other files or folders
Cold Boot the host
Shutdown the host.
Start host from the off state.
Note: BitLocker-encrypted hosts may require a recovery key.
For Humans💓
Everyone's primary goal is to have error free process so give the facts clearly and offer practical recommendations to navigate this situation effectively. Provide some clarity to ensure everyone remains informed and calm. It is important to approach this matter with a balanced perspective, rather than succumbing to the sensationalism often seen in some news and outlets.
Thanks a lot, Bye.
Commenti