Skip to main content

CrowdStrike Denial of Service Alert

Last Update Date: 23 Jul 2024 Release Date: 19 Jul 2024 5181 Views

RISK: High Risk

TYPE: Operating Systems - Networks OS

TYPE: Networks OS

On 19 Jul 2024, CrowdStrike Falcon Sensor caused crashes on Windows hosts. Windows hosts running on cloud such as Azure, AWS, etc. are also affected. The symptoms include hosts experiencing a bugcheck\blue screen error.

 

Threat actors has been observed taking advantage of this incident for phishing and other malicious activities, including the following:

  • Sending phishing emails posing as CrowdStrike support to customers
  • Impersonating CrowdStrike staff in phone calls
  • Posing as independent researchers, claiming to have evidence the technical issue is linked to a cyberattack and offering remediation insights
  • Selling scripts purporting to automate recovery from the content update issue

HKCERT recommands that users ensure they are communicating with CrowdStrike representatives through official channels and they adhere to technical guidance the CrowdStrike support theams have provided.
 

CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.

 

If hosts are still crashing and unable to stay online to receive the Channel File Changes, please take the workaround in the "Solution" section

 

Note:

No patch is currently available for affected products.

 

[Updated on 2024-07-20] 

Updated Description, System / Technologies affected, Solutions and Related Links.

 

[Updated on 2024-07-21] 

Updated Solutions and Related Links.

 

[Updated on 2024-07-23] 

Updated Solutions and Related Links.


Impact

  • Denial of Service

System / Technologies affected

  • CrowdStrike Falcon Sensor for Windows version 7.11 and above, that were online or downloaded the updated configuration between Friday, July 19, 2024 04:09 UTC to 05:27 UTC


Solutions

Before installation of the software, please visit the vendor web-site for more details.

 

Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted.

 

Workaround Steps for individual hosts:

  • Reboot the host to give it an opportunity to download the reverted channel file. 
  • If the host crashes again, then:
    Note: Bitlocker-encrypted hosts may require a recovery key.
    • Review the following video on CrowdStrike Host Self-Remediation for Remote Users. Follow the instructions contained within the video if directed to do so by your organization’s IT department.
    • Boot Windows into Safe Mode or the Windows Recovery Environment
      • NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
    • Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
      • Windows Recovery defaults to X:\windows\system32
        • Navigate to the appropriate partition first (default is C:\), and navigate to the crowdstrike directory:
          • C:
          • cd windows\system32\drivers\crowdstrike
      • Note: On WinRE/WinPE, navigate to the Windows\System32\drivers\CrowdStrike directory of the OS volume
    • Locate the file matching “C-00000291*.sys”, and delete it.
      • Do not delete or change any other files or folders
    • Cold Boot the host
      • Shutdown the host
      • Start host from the off state

 

 

For VM running on cloud platform, please apply workarounds issued by the vendor:

 

 

Notes: CrowdStrike will update the solution from time to time, for latest information, please refer to https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/


Vulnerability Identifier

  • No CVE information is available

Source


Related Link