What happened?
On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update for Windows systems. Sensor configuration updates are an ongoing part of the Falcon platform’s protection mechanisms. This configuration update caused a logic error that led to a system crash and a blue screen of death (BSOD) on affected systems.
Fixed a sensor configuration update that caused the system to crash on Friday, July 19, 2024 05:27 UTC.
This issue is not the result of or related to a cyber attack.
impact
Customers running Falcon Sensor for Windows 7.11 and later who were connected to the Internet between Friday, July 19, 2024 04:09 UTC and Friday, July 19, 2024 05:27 UTC may be affected.
Systems running Falcon sensor for Windows 7.11 and later that downloaded the updated configuration from 04:09 UTC to 05:27 UTC were vulnerable to system crashes.
Readme configuration file
The above configuration files are referred to as “Channel files“It forms part of the behavioral protection mechanisms used by Falcon. Updates to channel files are a normal part of sensor operation and occur multiple times a day in response to new tactics, techniques, and actions detected by CrowdStrike. This is not a new process; the architecture has been in place since Falcon was created.
Technical details
On Windows systems, the channel files are located in the following directory:
C:\Windows\System32\drivers\CrowdStrike\
The file name starts with “C-“. Each channel file is assigned a number as a unique identifier. The channel file affected in this event is 291 and will have a file name that begins with “C-00000291-And ends with .sys Extension. Although channel files end with the extension .SYS, They are not kernel drivers..
Channel 291 controls how Falcon evaluates the pipe labeled 1. Implementation on Windows systems. Named pipes are used for regular, inter-process, or inter-system communications in Windows.
The update, which occurred at 04:09 UTC, was designed to target newly discovered malicious named pipes used by popular C2 frameworks in cyberattacks. The configuration update caused a logic error that led to a system crash.
Channel 291 file
CrowdStrike has corrected the logic error by updating the content in channel 291. No additional changes to channel 291 will be deployed beyond the updated logic. Falcon is still evaluating and protecting named pipes from abuse.
This is not related to empty bytes in channel file 291 or any other channel file.
Reform
The latest repair recommendations and information can be found on our website. Blog Or in Support Portal.
We understand that some customers may have specific support needs and ask that they contact us directly.
Systems that are no Businesses currently affected will continue to operate as expected and will continue to be protected, There is no risk. From the experience of this event in the future.
Systems running Linux or macOS do not use channel 291 and are not affected.
Root cause analysis
We understand how this issue occurred and are conducting a comprehensive root cause analysis to determine how this logic glitch occurred. This effort will continue. We are committed to identifying any key improvements or workflow enhancements we can make to enhance our process. We will update our findings in the root cause analysis as the investigation progresses.
1 https://learn.microsoft.com/en-us/windows/win32/ipc/named-pipes
