Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

CrowdStrike Dismisses Claims of Exploitability in Falcon Sensor Bug

CrowdStrike dismissed claims that the Falcon EDR sensor bug could be exploited for privilege escalation or remote code execution.

CrowdStrike Sales Impact

CrowdStrike is dismissing an explosive claim from a Chinese security research firm that the Falcon EDR sensor bug that blue-screened millions of Windows computers could be exploited for privilege escalation or remote code execution.

According to technical documentation published by Qihoo 360 (see translation), the direct cause of the BSOD loop is a memory corruption issue during opcode verification, opening the door for potential local privilege escalation of remote code execution attacks.

“Although it seems that the memory cannot be directly controlled here, the virtual machine engine of `CSAgent.sys` is actually Turing-complete,  just like the Duqu virus using the font virtual machine in atmfd.dll, it can achieve complete control of the external (ie, operating system kernel) memory with specific utilization techniques, and then obtain code execution permissions,” Qihoo 360 said.

“After in-depth analysis, we found that the conditions for LPE or RCE vulnerabilities are actually met here,” the Chinese anti-malware vendor said.

Just one day after publishing a technical root cause analysis on the issue, CrowdStrike published additional documentation with a dismissal of “inaccurate reporting and false claims.” 

[The bug] provides no mechanism to write to arbitrary memory addresses or control program execution — even under ideal circumstances where an attacker could influence kernel memory. “Our analysis, which has been peer reviewed, outlines why the Channel File 291 incident is not exploitable in a way that achieves privilege escalation or remote code execution,” said CrowdStrike vice president Adam Meyers.

Meyers explained that the bug resulted from code expecting 21 inputs while only being provided with 20, leading to an out-of-bounds read.  “Even if an attacker had complete control of the value being read, the value is only used as a string containing a regular expression. We have investigated the code paths following the OOB read in detail, and there are no paths leading to additional memory corruption or control of program execution,” he declared.

Meyers said CrowdStrike has implemented multiple layers of protection to prevent tampering with channel files, noting that these safeguards “make it extremely difficult for attackers to leverage the OOB read for malicious purposes.”

Advertisement. Scroll to continue reading.

He said any claim that it is possible to provide arbitrary malicious channel files to the sensor is false, nothing that CrowdStrike prevents these types of attacks through multiple protections within the sensor that prevent tampering with assets (such as channel files) when they are delivered from CrowdStrike servers and stored locally on disk.

Myers said the company does certificate pinning, checksum validation, ACLs on directories and files, and anti-tampering detections, protections that “make it extremely difficult for attackers to leverage channel file vulnerabilities for malicious purposes.”

CrowdStrike also responded to unidentified posts that mention an attack that modifies proxy settings to point web requests (including CrowdStrike traffic) to a malicious server and argues that a malicious proxy cannot overcome TLS certificate pinning to cause the sensor to download a modified channel file.

From the latest CrowdStrike documentation:

  1. The out-of-bounds read bug, while a serious issue that we have addressed, does not provide a pathway for arbitrary memory writes or control of program execution. This significantly limits its potential for exploitation.
  2. The Falcon sensor employs multiple layered security controls to protect the integrity of channel files. These include cryptographic measures like certificate pinning and checksum validation and system-level protections such as access control lists and active anti-tampering detections.
  3. While the disassembly of our string-matching operators may superficially resemble a virtual machine, the actual implementation has strict limitations on memory access and state manipulation. This design significantly constrains the potential for exploitation, regardless of computational completeness.
  4. Our internal security team and two independent third-party software security vendors have rigorously examined these claims and the underlying system architecture. This collaborative approach ensures a comprehensive evaluation of the sensor’s security posture.

CrowdStrike previously said the incident was caused by a confluence of security vulnerabilities and process gaps and vowed to work with software maker Microsoft on secure and reliable access to the Windows kernel.

Related: CrowdStrike Releases Root Cause Analysis of Falcon Sensor BSOD Crash

Related: CrowdStrike Says Logic Error Caused Windows BSOD Chaos

Related: CrowdStrike Faces Lawsuits From Customers, Investors

Related: Insurer Estimates Billions in Losses in CrowdStrike Outage Losses

Related: CrowdStrike Explains Why Bad Update Was Not Properly Tested

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights