Saturday , January 18 2025
crowdstrike

CrowdStrike publish Root Cause of Global System Outages

CrowdStrike, a cybersecurity company, has released its analysis on the Falcon Sensor software update crash that affected millions of Windows devices worldwide.

The “Channel File 291” incident was traced back to a content validation issue. This issue came up when a new Template Type was introduced. The purpose of this new Template Type was to detect and identify novel attack techniques that exploit named pipes and other Windows interprocess communication (IPC) mechanisms. This incident was originally highlighted in the Preliminary Post Incident Review (PIR).

AWS Patches Multiple Vulns in WorkSpaces, AppStream 2.0

Amazon Web Services (AWS) has recently fixed two major security vulnerabilities in its cloud services: Amazon WorkSpaces, Amazon AppStream 2.0,...
Read More
AWS Patches Multiple Vulns in WorkSpaces, AppStream 2.0

Malware Trends Review 2024: Ever Recorded Cyber Threats

Last year saw a significant rise in cyber threats, with malware becoming more advanced and attack strategies more sophisticated. A...
Read More
Malware Trends Review 2024: Ever Recorded Cyber Threats

Botnet Exploits 13,000 MikroTik Devices Abusing Misconfigured DNS

A recent Infoblox Threat Intel report reveals a sophisticated botnet that exploits DNS misconfigurations to spread malware widely. This botnet,...
Read More
Botnet Exploits 13,000 MikroTik Devices Abusing Misconfigured DNS

CVE-2024-9042
Code Execution Vulnerability Found in Kubernetes Windows Nodes

A new security flaw traced, CVE-2024-9042, poses a serious risk to Kubernetes clusters with Windows worker nodes. It has a...
Read More
CVE-2024-9042  Code Execution Vulnerability Found in Kubernetes Windows Nodes

Hacker leaked 15k config files and VPN passwords of FortiGate firewall device

The hacking group "Belsen Group" has posted over 15,000 unique FortiGate firewall configurations online. The data dump, reportedly obtained by exploiting...
Read More
Hacker leaked 15k config files and VPN passwords of FortiGate firewall device

Registration open for 1st Agile Cyber Drill 2025

Registration open for "1st Agile Cyber Drill-2025" scheduled for February 26, 2025 online with an awards ceremony for 9 March...
Read More
Registration open for 1st Agile Cyber Drill 2025

30 Days to Go for FutureCrime Summit 2025

The FutureCrime Summit 2025 is just 30 days away. This conference is the largest on technology-driven crime, covering topics like...
Read More
30 Days to Go for FutureCrime Summit 2025

Microsoft January 2025 Patch, 159 Vuls, 10 Critical RCE’s

Microsoft's January Patch Tuesday update fixed 159 vulnerabilities, including 10 critical Remote Code Execution (RCE) issues. These updates are essential...
Read More
Microsoft January 2025 Patch, 159 Vuls, 10 Critical RCE’s

CVE-2023-37936
Fortinet released update for a critical cryptographic key vuln

Fortinet released security patches for a critical vulnerability (CVE-2023-37936) involving a hard-coded cryptographic key. This flaw lets remote, unauthorized attackers...
Read More
CVE-2023-37936  Fortinet released update for a critical cryptographic key vuln

Millions of Accounts Vulnerable due to Google’s OAuth Flaw

A critical flaw in Google’s "Sign in with Google" system has put millions of Americans at risk of data theft....
Read More
Millions of Accounts Vulnerable due to Google’s OAuth Flaw

The problem is related to a content update that caused multiple issues, leading to a crash. There was a mismatch between the inputs passed to the Content Validator and the Content Interpreter.

CrowdStrike stated that the parameter mismatch was not detected during the rigorous testing process, which involved multiple layers of scrutiny. This was partly because the 21st input during testing and the initial IPC Template Instances delivered between March and April 2024 utilized wildcard matching criteria.

The new Channel File 291 released on July 19, 2024, was the first IPC Template Instance to use the 21st input parameter field. The absence of a specific test case for non-wildcard matching criteria in the 21st field was only highlighted after the Rapid Response Content had been sent to the sensors.

“Sensors that received the new version of Channel File 291 carrying the problematic content were exposed to a latent out-of-bounds read issue in the Content Interpreter,” the company said.

“At the next IPC notification from the operating system, the new IPC Template Instances were evaluated, specifying a comparison against the 21st input value. The Content Interpreter expected only 20 values. Therefore, the attempt to access the 21st value produced an out-of-bounds memory read beyond the end of the input data array and resulted in a system crash.”

“CrowdStrike addressed the issue by verifying the number of input fields in the Template Type at sensor compile time and implementing runtime input array bounds checks in the Content Interpreter. They also fixed the number of inputs provided by the IPC Template Type.”

“The added bounds check prevents the Content Interpreter from performing an out-of-bounds access of the input array and crashing the system,” it noted. “The additional check adds an extra layer of runtime validation that the size of the input array matches the number of inputs expected by the Rapid Response Content.”
On top of that, CrowdStrike said it plans to increase test coverage during Template Type development to include test cases for non-wildcard matching criteria for each field in all (future) Template Types.

Some of the sensor updates are also expected to resolve the following gaps:

The Content Validator is being modified to add new checks to ensure that content in Template Instances does not include matching criteria that match over more fields than are being provided as input to the Content Interpreter

The Content Validator is being modified to only allow wildcard matching criteria in the 21st field, which prevents the out-of-bounds access in the sensors that only provide 20 inputs

The Content Configuration System has been updated with new test procedures to ensure that every new Template Instance is tested, regardless of the fact that the initial Template Instance is tested with the Template Type at creation

The Content Configuration System has been updated with additional deployment layers and acceptance checks

The Falcon platform has been updated to provide customers with increased control over the delivery of Rapid Response Content

CrowdStrike has hired two independent software security vendors to review the Falcon sensor code. They are also conducting a review of the quality process from development to deployment.

Check Also

AI

AI-made nude images incident, one school, 50 female victim

Nearly half of the high school’s female students were victimized in AI based deepfake the …

Leave a Reply

Your email address will not be published. Required fields are marked *