On Saturday, CrowdStrike said a bad “sensor configuration update” in its Falcon cybersecurity platform was to blame for a massive global computer outage. The disastrous patch knocked approximately 8.5 million Windows devices offline, paralyzing airlines, hospitals, and financial institutions globally.
Mac and Linux systems were not impacted, and Microsoft reported Saturday that many systems have been restored.
The CrowdStrike Falcon cloud managed platform is a unified set of cloud-delivered technologies that prevent all types of attacks. It has several core functions that include antivirus, endpoint detection and response, cyber threat intelligence, managed threat hunting abilities, and security hygiene.
On July 19, 2024, at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems. Sensor configuration updates are an ongoing part of the protection mechanisms of the Falcon platform. The configuration update triggered a logic error resulting in a system crash and blue screen on impacted systems.
Systems running Falcon sensor for Windows 7.11 and above that downloaded the updated configuration from 04:09 UTC to 05:27 UTC – were susceptible to a system crash.
CrowdStrike explained that the configuration file update for the Falcon sensor is called “channel files” and tied to the platform sensor’s “behavioral protection mechanisms”
The Windows directory path for impacted Channel Files (C:\Windows\System32\drivers\CrowdStrike) and tips on finding the impacted code residing in a “file name that starts with “C-” (Channel File 291).
The update was designed to target newly observed, malicious named pipes being used by common C2 frameworks in cyberattacks. The configuration update triggered a logic error that resulted in an operating system crash.
Mitigation includes updating Channel File 291, CrowdStrike said. It added that no updates to the file will be deployed. Falcon is still evaluating and protecting against the abuse of named pipes.
CrowdStrike’s blog echoed previous apologetic sentiments while expressing empathy to impacted customers and a promise to do better moving forward.
“We understand how this issue occurred, and we are doing a thorough root cause analysis to determine how this logic flaw occurred. This effort will be ongoing. We are committed to identifying any foundational or workflow improvements that we can make to strengthen our process. We will update our findings in the root cause analysis as the investigation progresses.”
An apology was issued on Friday by George Kurtz, CrowdStrike’s founder and CEO, via a blog post stating, “I want to sincerely apologize directly to all of you for today’s outage”
CrowdStrike issued a fix for impacted systems and stressed that the outage was not tied to a cybersecurity event or attack. However, security experts said the disruption of services and rush to investigate and fix systems did open the door for threat actors to take advantage of opportunity.
