8500000 台 Windows 蓝屏:逻辑错误是根因
2024 年 7 月 21 日,CrowdStrike 发布了#微软蓝屏 分析报告,全球性电脑宕机是由一个逻辑错误引起的。
事后查明,导致全球众多系统瘫痪的全球性电脑宕机归咎于网络安全公司CrowdStrike 在一次例行更新中出现的逻辑错误。
这家公司发布了 Falcon 安全软件的配置更新,结果导致无数受影响的 Windows 系统出现了臭名昭著的蓝屏死机(BSOD)。
据 CrowdStrike的分析报告显示:“配置更新导致了一个逻辑错误,从而导致受影响的系统出现系统崩溃和蓝屏死机。”
微软官方发布博文称,CrowdStrike 的更新影响了 850 万台 Windows 设备,约占 Windows 设备总数的 1%。虽然百分比很小,但对经济和社会造成的广泛影响反映了无数运营许多关键服务的企业使用 CrowdStrike 的事实。
Technical Details: Falcon Content Update for Windows Hosts
What Happened?
On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems. Sensor configuration updates are an ongoing part of the protection mechanisms of the Falcon platform. This configuration update triggered a logic error resulting in a system crash and blue screen (BSOD) on impacted systems.
The sensor configuration update that caused the system crash was remediated on Friday, July 19, 2024 05:27 UTC.
This issue is not the result of or related to a cyberattack.
Impact
Customers running Falcon sensor for Windows version 7.11 and above, that were online between Friday, July 19, 2024 04:09 UTC and Friday, July 19, 2024 05:27 UTC, may be impacted.
Systems running Falcon sensor for Windows 7.11 and above that downloaded the updated configuration from 04:09 UTC to 05:27 UTC – were susceptible to a system crash.
Configuration File Primer
The configuration files mentioned above are referred to as “Channel Files” and are part of the behavioral protection mechanisms used by the Falcon sensor. Updates to Channel Files are a normal part of the sensor’s operation and occur several times a day in response to novel tactics, techniques, and procedures discovered by CrowdStrike. This is not a new process; the architecture has been in place since Falcon’s inception.
Technical Details
On Windows systems, Channel Files reside in the following directory:
C:\Windows\System32\drivers\CrowdStrike\
and have a file name that starts with “C-”. Each channel file is assigned a number as a unique identifier. The impacted Channel File in this event is 291 and will have a filename that starts with “C-00000291-” and ends with a .sys extension. Although Channel Files end with the SYS extension, they are not kernel drivers.
Channel File 291 controls how Falcon evaluates named pipe1 execution on Windows systems. Named pipes are used for normal, interprocess or intersystem communication in Windows.
The update that occurred at 04:09 UTC was designed to target newly observed, malicious named pipes being used by common C2 frameworks in cyberattacks. The configuration update triggered a logic error that resulted in an operating system crash.
Channel File 291
CrowdStrike has corrected the logic error by updating the content in Channel File 291. No additional changes to Channel File 291 beyond the updated logic will be deployed. Falcon is still evaluating and protecting against the abuse of named pipes.
This is not related to null bytes contained within Channel File 291 or any other Channel File.
Remediation
The most up-to-date remediation recommendations and information can be found on our blog or in the Support Portal.
We understand that some customers may have specific support needs and we ask them to contact us directly.
Systems that are not currently impacted will continue to operate as expected, continue to provide protection, and have no risk of experiencing this event in the future.
Systems running Linux or macOS do not use Channel File 291 and were not impacted.
Root Cause Analysis
We understand how this issue occurred and we are doing a thorough root cause analysis to determine how this logic flaw occurred. This effort will be ongoing. We are committed to identifying any foundational or workflow improvements that we can make to strengthen our process. We will update our findings in the root cause analysis as the investigation progresses.
微信扫码关注该文公众号作者