CrowdStrike has released a Preliminary Post Incident Review following a software bug in the Falcon Sensor that resulted in BSOD on Windows. This report provides additional details from the initial statement, indicating that the Channel Files configuration file was malfunctioning.
CrowdStrike software has two types of updates. The first type, Sensor Content, is delivered alongside the software itself, allowing organizations to control the release of these updates. The second type, Rapid Response Content, consists of separate smaller update files designed to combat new malware-virus-attack threats during that time frame. These file formats are in binary form.
The temporary system crash incident was caused by a post-update, which is typically tested internally in staging environments with various scenarios. The Falcon Sensor software version 7.11 underwent testing in March 2024 and was released in production in April without any issues.
An update on July 19th aimed to add some data to Sensor version 7.11 and resulted in a bug during testing, leading to the release of this flawed update. Despite the issues in the update content, the extensive testing conducted in March-April showed no problems, causing this flawed update to be publicly released and resulting in widespread BSOD issues.
CrowdStrike has stated its intention to enhance code testing measures to prevent such issues from recurring in the future. They plan to introduce staged release processes (similar to canary testing seen in other software) and provide users with more control over Rapid Response Content updates, beyond the existing control over Sensor Content updates.
CrowdStrike also mentioned that a detailed Root Cause Analysis report will be released once the investigation process is completed.
TLDR: CrowdStrike’s Preliminary Post Incident Review highlights a software bug in Falcon Sensor, leading to BSOD on Windows. They plan to enhance testing measures and introduce staged release processes to prevent future issues.
Leave a Comment