On 19 July 2024 at 0409H UTC (1209H Manila Time), CrowdStrike, a leading cybersecurity company, issued a sensor configuration update to Windows systems as part of their regular security maintenance. This update, designed to enhance the protection capabilities of their Falcon platform, inadvertently caused a system crash and the infamous blue screen of death (BSOD) on affected systems. The error was swiftly corrected by 0527H UTC (1327H Manila Time) the same day according to a press release issued by CrowdStrike.
According to the company, the problem stemmed from a logic error in the update, not from a cyberattack. Therefore, there is no reason to believe that this incident was the result of any malicious activity.
Who Was Affected?
Customers using the Falcon sensor for Windows version 7.11 and above, who were online between 0409H UTC (1209H Manila Time) and 0527H UTC (1327H Manila Time) on Friday, 19 July 2024, might have experienced this issue. These systems downloaded the problematic configuration file, leading to a potential crash.
What Are Channel Files?
Channel files are an integral part of the behavioral protection mechanisms within the Falcon sensor. These files are regularly updated several times a day to counteract new threats identified by CrowdStrike. This continuous updating process has been part of Falcon’s architecture since its inception.
In Windows systems, these files are located in the directory:
C:\Windows\System32\drivers\CrowdStrike\
Each file name starts with “C-” followed by a unique number. The specific file involved in this incident was Channel File 291, which starts with “C-00000291-” and ends with a .sys extension. Although these files have a .sys extension, they are not kernel drivers.
What Happened with Channel File 291?
Channel File 291 helps Falcon evaluate named pipe executions on Windows systems. Named pipes are used for communication between different processes or systems within Windows.
The update issued at 0409H UTC (1209H Manila Time) was intended to target newly observed malicious named pipes used in cyberattacks. Unfortunately, it introduced a logic error, resulting in system crashes.
CrowdStrike quickly addressed the issue by updating Channel File 291 and correcting the logic error. No further changes were made to Channel File 291 beyond this correction. The Falcon platform continues to monitor and protect against named pipe abuses. Importantly, this issue was not related to any null bytes in Channel File 291 or any other Channel Files.
Next Steps
For the latest information and remediation recommendations, customers are encouraged to visit the CrowdStrike blog or the Support Portal. CrowdStrike said they are committed to supporting its customers and encourages anyone with specific needs to contact them directly.
Unimpacted systems will continue to operate normally, providing robust protection without the risk of encountering this issue again. It’s worth noting that systems running on Linux or macOS were not affected by this event as they do not use Channel File 291.
As of this posting, CrowdStrike is conducting a thorough root cause analysis to understand how this logic error occurred. They are committed to identifying improvements in their processes to prevent similar issues in the future. Updates will be provided as the investigation progresses.
The question now is: will CrowdStrike continue to enjoy the trust of its customers? Elon Musk, the big boss of X (formerly Twitter), Tesla, and SpaceX (among many companies) said that they already had deleted CrowdStrike from all their systems.