MADRID, (Portaltic/EP) – CrowdStrike has detailed what caused the crash of its platform, which affected Windows computers and which “cannot be repeated now”, as it has implemented a series of measures that would neutralize a similar incident in the future.
The cybersecurity company published a root cause analysis (RCA) in which it expanded on the information related to the incident that caused a worldwide blackout on July 19.
This report therefore offers more data than previously shared in its preliminary post-incident review (PIR) and provides more information “on the findings, mitigations, and technical details” related to the flaw.
Firstly, the company acknowledged that it will continue to investigate what happened, as there are still customers affected by the faulty update of its sensor. However, the vast majority have been able to restore their services normally.
He explained that Falcon, the sensor that triggered the global crash, was updated in February 2024 with a new capability that allowed it to visualize possible novel attack techniques that could abuse certain Windows mechanisms.
This feature “predefined a set of fields for Rapid Response Content (RCA) to collect data from,” a capability that “was developed and tested in accordance with the company’s standard software development processes.
As early as March 5, the first RCA for the Channel 291 archive was produced as part of a content configuration update, with three versions that “worked as expected in production,” according to this document.
On July 19, 2024, this update was delivered to certain Windows hosts, with the capability released in February of this year included. The sensor was then willing to receive 20 sources or input fields, instead of the 21 that the update provided.
“The mismatch resulted in an out-of-bounds memory read, leading to a system crash,” he posted, stressing that according to his analysis “this bug was not exploitable by a threat actor.”
In this regard, Crowdstrike said that this scenario with the faulty channel file number 291 “cannot now be repeated” and has reported on the process improvements and mitigation steps it is implementing “to ensure even greater resilience.”
First, he said he has updated the testing procedures for the content configuration system, with updated tests for developing sensor template types, which contain predefined fields to detect threats.
It also added new layers of security and controls to the content configuration system, providing its customers with additional control over the deployment of RCA updates.
It has also advised its customers to avoid creating problematic channel 291 files and has engaged two independent software security vendors to conduct a more thorough review of Falcon sensor code and end-to-end communication and quality control processes.
#CrowdStrike #warns #error #caused #global #blackout #repeated
2024-08-09 18:46:01