Friend
Professional
- Messages
- 2,659
- Reaction score
- 865
- Points
- 113
The vulnerability in Falcon Sensor caused billions of dollars in losses and massive device shutdowns.
The information security company CrowdStrike told about the reasons for the failure of the Falcon Sensor software, which disrupted the operation of millions of Windows-based devices around the world.
The "Channel File 291" incident was caused by a content validation issue after a new type of template was introduced to detect new attack techniques that use named pipes and other Windows interprocess communication (IPC) mechanisms.
The new template type resulted in a parameter mismatch: 21 input parameters passed to Content Validator, instead of the expected 20 that were provided by Content Interpreter. The discrepancy was not detected during testing and caused the failure. As a result, sensors that received the new update encountered a problem reading outside of memory, which led to system crashes.
In other words, the new version of Channel File 291, released on July 19, is the first instance of the IPC template to use the 21st parameter. The lack of a specific test for non-wildcard matching criteria in the 21st field meant that the problem was not detected before sending a quick content update to the sensors.
CrowdStrike has made changes to prevent similar issues in the future. Input array bounds checks have been added and the number of tests for new templates has been increased. The company also engaged third-party experts to analyze the code and improve quality. In addition, the Falcon platform has been updated to give customers more control over the delivery of updates.
Problems with CrowdStrike software quickly led to a number of serious problems in various organizations around the world. Among such problems, for example:
The incident quickly affected CrowdStrike's position on the stock market. At the moment, the price per share of the company collapsed by as much as 20%, which is indecently much for changes in one day.
Parametrix, one of the leading providers of cloud-based monitoring, modeling, and insurance services, estimated $ 5.4 billion in direct financial damage to U.S. Fortune 500 companies (excluding Microsoft) affected by the CrowdStrike glitch.
Source
The information security company CrowdStrike told about the reasons for the failure of the Falcon Sensor software, which disrupted the operation of millions of Windows-based devices around the world.
The "Channel File 291" incident was caused by a content validation issue after a new type of template was introduced to detect new attack techniques that use named pipes and other Windows interprocess communication (IPC) mechanisms.
The new template type resulted in a parameter mismatch: 21 input parameters passed to Content Validator, instead of the expected 20 that were provided by Content Interpreter. The discrepancy was not detected during testing and caused the failure. As a result, sensors that received the new update encountered a problem reading outside of memory, which led to system crashes.
In other words, the new version of Channel File 291, released on July 19, is the first instance of the IPC template to use the 21st parameter. The lack of a specific test for non-wildcard matching criteria in the 21st field meant that the problem was not detected before sending a quick content update to the sensors.
CrowdStrike has made changes to prevent similar issues in the future. Input array bounds checks have been added and the number of tests for new templates has been increased. The company also engaged third-party experts to analyze the code and improve quality. In addition, the Falcon platform has been updated to give customers more control over the delivery of updates.
Problems with CrowdStrike software quickly led to a number of serious problems in various organizations around the world. Among such problems, for example:
- British TV channel Sky News stopped broadcasting;
- The London Stock Exchange is experiencing a massive disruption;
- A technical glitch has caused chaos at Sydney and Melbourne airports: check-in desks are unavailable;
- All flights of several major U.S. airlines, including Delta, United and American Airlines, were canceled;
- Turkish Airlines also warned of a global disruption that caused serious problems with ticket booking and check-in;
- Britain's largest rail operator, Govia Thameslink Railway, reported disruptions and possible cancellations of railway flights.
The incident quickly affected CrowdStrike's position on the stock market. At the moment, the price per share of the company collapsed by as much as 20%, which is indecently much for changes in one day.
Parametrix, one of the leading providers of cloud-based monitoring, modeling, and insurance services, estimated $ 5.4 billion in direct financial damage to U.S. Fortune 500 companies (excluding Microsoft) affected by the CrowdStrike glitch.
Source
