CrowdStrike recently released an analysis on the Falcon Sensor issue that caused computers worldwide to crash last month. They identified it as a software mismatch problem and data validation issue.
The main component of Falcon Sensor is the Content Interpreter, which is a regular expression engine for data validation across different channels. This engine pulls data from updated channel files to verify if the data flowing through the channels matches the data in the channel files.
With the introduction of Falcon Sensor 7.11 in February, additional validation channels were added for Windows interprocess communication (IPC) to detect attacks through process communication methods like named pipes. The new IPC Template requires 21 parameters, with the option of leaving the 21st parameter as a wildcard. The previous template only had 20 parameters, yet it still functioned for several months because the 21st parameter was optional.
On July 19th, CrowdStrike released two new templates, with one template mandating all 21 parameters and not allowing the omission of any value. When Falcon Sensor encountered IPC notifications from the channel file, it would attempt to run these templates to detect intrusions.
At this point, the template renderer tried to fetch the necessary 21 parameters while the Content Interpreter only prepared 20 parameters. When data was fetched beyond the prepared parameters, it resulted in out-of-bound memory immediately, causing the renderer to crash and lead to a system failure.
The testing process before releasing channel files to customers covers various aspects, including resource utilization levels and detection rates, but it did not check the Content Interpreter. The report mentioned ongoing and planned corrective actions such as ensuring no templates had mismatched parameter counts and improving post-release testing to align with real-world scenarios.
In an effort to prevent similar incidents in the future, they plan to move certain tasks out of the kernel and into user space to reduce such issues. Additionally, they will collaborate with Microsoft to enhance essential features for running security software outside the kernel.
TLDR: CrowdStrike identified a Falcon Sensor issue causing global computer crashes due to software mismatch and data validation problems. They are taking steps to address the issue and improve testing processes for future releases.
Leave a Comment