CrowdStrike Identifies Root Cause of Massive Windows Outage

CrowdStrike Root Cause Analysis

The cybersecurity company CrowdStrike has disclosed the root cause analysis behind the Falcon Sensor software malfunction, which disrupted the operation of millions of Windows-based devices worldwide.

The incident, termed “Channel File 291,” was triggered by a content validation issue following the introduction of a new template type for detecting novel attack techniques exploiting named pipes and other Windows inter-process communication (IPC) mechanisms.

The new template type resulted in a parameter mismatch: 21 input parameters were passed to the Content Validator instead of the expected 20 provided by the Content Interpreter. This discrepancy was not detected during testing and led to the malfunction. Consequently, sensors receiving the new update encountered out-of-bounds memory reads, causing system crashes.

In other words, the new version of Channel File 291, released on July 19, was the first instance of an IPC template using a 21st parameter. The absence of a specific test for wildcard-free match criteria in the 21st field meant the issue was not identified before the rapid content update was deployed to the sensors.

CrowdStrike has implemented changes to prevent similar issues in the future. These include adding input array boundary checks and increasing the number of tests for new templates. The company also engaged external experts to analyze the code and enhance its quality. Additionally, the Falcon platform was updated to give clients greater control over update delivery.

The incident rapidly impacted CrowdStrike’s stock market position. At one point, the company’s share price plummeted by as much as 20%, a substantial drop for a single day’s trading.

Parametrix, a leading provider of cloud monitoring, modeling, and insurance services, estimated the direct financial damage to American Fortune 500 companies (excluding Microsoft) affected by the CrowdStrike outage at $5.4 billion.

Related Posts: