Summary of the Event
On July 19, 2024 at 04:09 UTC, CrowdStrike released a sensor configuration update for Windows systems. This update was one of the configuration changes made at regular intervals as part of the Falcon platform's protection mechanisms. However, this update caused a logic error in the systems, resulting in a blue screen of death (BSOD). The issue was fixed at 05:27 UTC and the update was rolled back. This error is not the result of a cyberattack.
Area of Influence
This incident affected systems running the Falcon sensor for Windows version 7.11 and above that were online between 04:09 UTC and 05:27 UTC on July 19, 2024. Systems that downloaded the configuration update during this time period were vulnerable to a blue screen of death. Linux and macOS systems were not affected because they do not use this configuration file.
Technical details
- Channel Files: Configuration files used as part of the Falcon sensor's behavioral protection mechanisms. These files are typically updated several times a day.
- Affected File: File with SYS extension starting with “C-00000291-” located in C:\Windows\System32\drivers\CrowdStrike directory. This file evaluates named pipe execution on Windows systems.
- Logic Error: Pipe File 291 was updated to target malicious named pipes used in cyberattacks. However, this update contained a logic error that caused the operating system to crash.
Recovery and Intervention
CrowdStrike has updated Channel File 291 to correct the error and address the issue. No further changes will be made to this file. The following are the recommended steps for affected customers:
Detection and Notification of the Incident:
- The BSOD error should be detected by IT monitoring systems or user notifications.
- All relevant internal stakeholders must be informed promptly.
Establishing an Incident Response Team:
- The incident response team should be assembled immediately and tasks should be distributed.
Initial Review and Assessment:
- The scope of affected systems and the impact on business operations should be evaluated.
Technical Intervention:
- Affected systems should be booted into safe mode and the relevant files should be deleted manually:
cd /d C:\
del “C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys”
System Restore and Update:
- Systems should be restored to a pre-incident restore point and CrowdStrike-provided updates should be applied.
Investigating the Origin and Cause of the Incident:
- Root cause analysis should be performed and details of the incident should be documented.
Communication and Information:
- Internal and external stakeholders should be informed that the situation has been resolved.
Preventive Measures and Improvement:
- Systems and processes should be reviewed and areas for improvement should be identified.
- Backup and recovery plans should be updated and employees should be trained regularly.
Evaluation of Results and Lessons:
- A post-incident evaluation meeting should be held and lessons learned should be reported.
Causes of Error
- Software Configuration Error: There is an error in the configuration settings.
- Testing Deficiencies: Lack of sufficiently comprehensive testing after updates.
- Security Vulnerabilities: Unknown security vulnerabilities can cause serious problems.
To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.