{"id":376,"date":"2024-09-17T13:24:11","date_gmt":"2024-09-17T19:24:11","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/?p=376"},"modified":"2024-09-17T13:24:19","modified_gmt":"2024-09-17T19:24:19","slug":"crowdstrike-falcon-edr-issue-report","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/2024\/09\/17\/crowdstrike-falcon-edr-issue-report\/","title":{"rendered":"CrowdStrike Falcon EDR issue report"},"content":{"rendered":"\n
\n

Airport delays, banks not working correctly, hospitals not able to provide services and many other daily services were affected due to the CrowdStrike Falcon EDR issue. But, what was the cause of this? And what can we learn from this incident? Let’s explore the issue report provided from CrowdStrike itself and make an analysis of it.<\/p>\n<\/blockquote>\n\n\n\n

What was the real cause?<\/h2>\n\n\n\n

On August 8th CrowdStrike released the root cause analysis of the issue related to a problematic update to its Falcon Sensor agent on Windows. <\/p>\n\n\n\n

In brief the report[1] stated that it was due to an out-of-bounds read issue. From the 21 input parameter fields that should be used in the process, only 20 were actually passed, so even when the update was tested rigorously with the Template Instance the flaw was not discovered.<\/p>\n\n\n\n

On July 19th a new update made use of the 21st parameter, but the sensor program was only expecting 20 parameters. Since the parameter was used in a comparison, the attempt to access the value caused the out of bound reads issue.<\/p>\n\n\n\n

Although it seems to be a very simple reason, it had a huge impact on end users and different industries.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Oh my Windows!! [2]<\/p>\n\n\n\n

How could it be?!<\/h2>\n\n\n\n

Software development has never been an easy task. Big and complex systems depend on automated processes to test the software quality and security. Sometimes small details such as this are not perceived by the development and test teams. Other times, releasing software updates directly to production without properly testing it on stage systems could be the reason for many problems.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Automation can be complicated too![3]<\/p>\n\n\n\n

Software dedicated to OS security can easily create such a catastrophic effect on the system. They have high permission levels and can read, write and modify OS files or processes. This can also provide opportunities for privilege elevation or execution of code remotely. Unfortunately there is still not a clear option to avoid such high privileges in these programs.<\/p>\n\n\n\n

As mentioned by Johannes Ullrich in the SANS NewBites post[4] :<\/p>\n\n\n\n

\n

\u201cComplex security software requiring frequent updates requires high levels of runtime protection and extensive pre-release testing of updates.\u201d. <\/p>\n<\/blockquote>\n\n\n\n

So it is important to keep good testing and release strategies to avoid this problem as much as possible.<\/p>\n\n\n\n

What was the impact on CrowdStrike’s reputation?<\/h2>\n\n\n\n

The CrowdStrike’s public image has received a hard strike. Right after the incident happened the company market dropped significantly.<\/p>\n\n\n\n

<\/p>\n\n\n\n

CrowdStrike market showing the impact after July 19th incident[5]<\/p>\n\n\n\n

People stuck in airports, flights delayed, and financial loss did not help to ease the impact on the company\u2019s image. Even the Canadian Cybersecurity Center made a public alert related to this incident[6] and suggested steps for mitigating the incident as soon as possible since this was a cyber threat. Misinformation also helped to spread fear among users and stakeholders.<\/p>\n\n\n\n

CrowdStrike has already corrected the issue with the sensors. They have acknowledged the issue publicly and made a report of the incident and how it was mitigated[1]. This helps to renew the confidence in them, as mentioned by Lee Neely in the SANS blog[4]: <\/p>\n\n\n\n

\n

\u201cCrowdStrike has been extremely forthcoming in acknowledging and subsequently releasing technical details of the flaw in their application development and update process. […] Publishing root cause analysis and hiring not one but two outside security review teams are each calculated steps by CrowdStrike at damage control. It appears to be working.\u201d. <\/p>\n<\/blockquote>\n\n\n\n

But only time will really tell if it will not affect the company\u2019s image permanently.<\/p>\n\n\n\n

What can we learn from this?<\/h2>\n\n\n\n

As information security experts, it is necessary to be aware of all threats as much as possible. Even if the issue is not directly related to our systems or programs, they could be sharing information with affected assets. It is important to have a broad panorama of the assets and how they communicate with each other. Remember, even if you try to lock all the doors and backdoors, attackers only need one \u201copen\u201d door to do damage. That is why keeping updated and working with the current best practices will help to avoid possible problems.<\/p>\n\n\n\n

References:<\/p>\n\n\n\n

[1]https:\/\/www.crowdstrike.com\/wp-content\/uploads\/2024\/08\/Channel-File-291-Incident-Root-Cause-Analysis-08.06.2024.pdf<\/a> <\/p>\n\n\n\n

[2]https:\/\/www.deviantart.com\/salmanarif\/art\/Windows-Error-Reporting-120299488<\/a><\/p>\n\n\n\n

[3]https:\/\/open.substack.com\/pub\/workchronicles\/p\/comic-automation?utm_campaign=post&utm_medium=web<\/a><\/p>\n\n\n\n

[4]https:\/\/www.sans.org\/newsletters\/newsbites\/xxvi-61\/<\/a><\/p>\n\n\n\n

[5] NASDAQ: CRWD<\/a><\/p>\n\n\n\n

[6]https:\/\/www.cyber.gc.ca\/en\/alerts-advisories\/issue-impacting-crowdstrike-falcon-edr#defn-cyber-threat<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Airport delays, banks not working correctly, hospitals not able to provide services and many other daily services were affected due to the CrowdStrike Falcon EDR issue. But, what was the cause of this? And what can we learn from this incident? Let’s explore the issue report provided from CrowdStrike itself and make an analysis of … <\/p>\n

Continue reading “CrowdStrike Falcon EDR issue report”<\/span><\/a><\/p>\n","protected":false},"author":667,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[1],"tags":[13,14],"class_list":["post-376","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-crowdstrike","tag-windows","entry"],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Oscar ACM","author_link":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/author\/oscar-alfredo-constantino\/"},"_links":{"self":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts\/376","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/users\/667"}],"replies":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/comments?post=376"}],"version-history":[{"count":3,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts\/376\/revisions"}],"predecessor-version":[{"id":379,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts\/376\/revisions\/379"}],"wp:attachment":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/media?parent=376"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/categories?post=376"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/tags?post=376"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}