Friday’s CrowdStrike update caused Microsoft Windows computers around the world to crash and devices to display a blue screen.
This sudden outage left companies around the world, including several news outlets, unable to restart their systems.
Immediately after the outage occurred, concerned users reported the problem on forums such as Reddit. One user mentioned that he was stuck in a boot loop and his entire organization was affected.
So if you encountered this problem when you arrived at work on Friday morning, you weren’t the only one.
What happened to IT systems?
On Friday at 04:09 UTC, CrowdStrike released a sensor configuration update – an ongoing part of the Falcon platform’s protection mechanisms – for Windows systems as part of ongoing operations.
This configuration update triggered a logic bug that resulted in a system crash and a blue screen (BSOD) on affected systems.
The sensor configuration update that caused the system to crash was fixed at 05:27 UTC.
However, this issue was not the result of or related to a cyber attack.
What was its impact?
Customers using Falcon sensor for Windows version 7.11 and higher who were online between 04:09 UTC and 05:27 UTC on Friday may have been affected.
Systems running Falcon sensor for Windows 7.11 and higher that downloaded the updated configuration from 04:09 UTC to 05:27 UTC – were prone to system crashes.
Configuration file primer
The above configuration files are referred to as “Channel Files” and are part of the behavior protection mechanisms used by the Falcon sensor.
Updates to Channel Files are a normal part of sensor operation and occur several times a day in response to new tactics, techniques and procedures discovered by CrowdStrike. This is not a new process as the architecture has been around since the beginning of Falcon.
Specifications
On Windows systems, Channel Files are located in the following directory:
C:\Windows\System32\drivers\CrowdStrike\
They have a file name that starts with “C-“. Each channel file is assigned a number as a unique identifier. The affected channel file in this event is 291 and will have a file name that starts with “C-00000291-” and ends with a .sys extension. Although Channel Files end with a SYS extension, they are not kernel drivers.
Channel File 291 controls how Falcon evaluates the execution of named pipe1 on Windows systems. Named pipes are used for normal, inter-process or inter-system communication in Windows.
The update, which occurred at 04:09 UTC, was designed to target newly observed malicious named channels used by common C2 frameworks in cyberattacks. A configuration update triggered a logic error that caused the operating system to crash.
Channel 291 file
CrowdStrike fixed the logic bug by updating the content in Channel File 291. No further changes to Channel File 291 beyond the updated logic will be deployed. Falcon still evaluates and protects against abuse of named pipes.
This does not apply to empty bytes contained in Channel File 291 or any other Channel File.
Remedy
The most up-to-date recommendations and remediation information can be found on CrowdStrike’s blog or its support portal.
“We understand that some customers may have specific support needs, and we ask that they contact us directly,” CrowdStrike said on its website.
Systems that are not affected will continue to function as expected, continue to provide protection, and are not at risk of this event occurring in the future.
Systems running Linux or macOS do not use Channel File 291 and were not affected.
