CrowdStrike Update: Windows Bluescreen and Boot Loops (old.reddit.com)
My workplace has a number of people reporting Windows blue-screening and going into a boot loop. The IT Department have a number of servers recently gone offline and have said there's a chance that the two issues are related, and potentially due to a Crowd Strike application update.
My laptop blue-screened and rebooted, but is working fine after the reboot.
A local radio station has also said they've got the same issues with their laptops and their phone system is down as a result.
Not seeing anything on news sites yet. Anyone else seeing similar?
Above is all based in Australia.
4,017 comments
[ 3.8 ms ] story [ 567 ms ] thread> 7/18/24 10:20PT - Hello everyone - We have widespread reports of BSODs on windows hosts, occurring on multiple sensor versions. Investigating cause. TA will be published shortly. Pinned thread.
> SCOPE: EU-1, US-1, US-2 and US-GOV-1
> Edit 10:36PT - TA posted: https://supportportal.crowdstrike.com/s/article/Tech-Alert-W...
> Edit 11:27 PM PT:
> Workaround Steps:
> Boot Windows into Safe Mode or the Windows Recovery Environment
> Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
> Locate the file matching “C-00000291*.sys”, and delete it.
> Boot the host normally.
> Summary
> CrowdStrike is aware of reports of crashes on Windows hosts related to the Falcon Sensor.
> Details
> Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor.
> Current Action
> Our Engineering teams are actively working to resolve this issue and there is no need to open a support ticket.
> Status updates will be posted below as we have more information to share, including when the issue is resolved.
> Latest Updates
> 2024-07-19 05:30 AM UTC | Tech Alert Published.
> Support
> Find answers and contact Support with our Support Portal
It includes PDFs of some relevant support pages that someone printed with their browser 5 hours ago. That's probably the right thing to do in such a situation to get this kind of info publicly available ASAP, but still, oof. Looks like lots of people in the Reddit thread had trouble accessing the support info behind the login screen.
You do have your bit locker recovery key, right? .....right?
In Enterprise setups the key should be backed somewhere in Active Directory.
> A colleague is dealing with a particularly nasty case. The server storing the BitLocker recovery keys (for thousands of users) is itself BitLocker protected and running CrowdStrike (he says mandates state that all servers must have "encryption at rest").
> His team believes that the recovery key for that server is stored somewhere else, and they may be able to get it back up and running, but they can't access any of the documentation to do so, because everything is down.
One of my biggest frustrations with learning networking was not being able to access the internet. Nowadays you probably have a phone with a browser, but back in the day if you were sitting in a data room and you'd configured stuff wrong, you had a problem.
Or worse, if it's like where I worked in the past, they're still in the buying process for a safe (started 13 months ago) and the analysts are building up a general plan for the management of the safe combination. They still have to start the discussions with the union to see how they'll adapt the salary for the people that will have to remember the code for the safe and who's gonna be legally responsible for anything that happens to the safe. Last follow-up meeting summary is "everything's going well but we'll have to modify the schedule and postpone the delivery date of a few months, let's say 6 to be safe"
When we later moved to new offices, somebody found a solution that involved a 'stair-walking' device that could supposedly get the safe down to the ground floor. This of course jammed when it was halfway down the stairs. Hilarity ensued.
1. Boot the affected machine from the Windows installer disk
2. Use "Repair options"
3. Click through to the option to spawn a shell
4. It will now ask you for unlocking the disk with a recovery key. SKIP THAT.
5. In the shell, type: "manage-bde -unlock C: -Password", enter the password
6. The drive is unlocked, now go and execute whatever recovery you have to do.
Good luck.
Can you even get the secret from the TPM in recovery mode?
Given that you can (relatively trivially) sniff the TPM communication to obtain the key [1], yes it should be possible. Can't verify it though as I've long ago switched to Mac for my primary driver and the old cheesegrater Mac I use as a gaming rig doesn't have a hardware TPM chip.
[1] https://pulsesecurity.co.nz/articles/TPM-sniffing
I don't know how common it is to disable TPM-stored keys in companies, but on personal licenses, you need group policy to even allow that.
Although this is moot if Windows recovery mode is accepted as the right system by the TPM. But aren't permissions/privileges a bit neutered in that mode?
https://x.com/attilabubby/status/1814216589559861673
https://x.com/nathanmcnulty/status/1785094215749476722?s=46
GPO to fix:
https://gist.github.com/whichbuffer/7830c73711589dcf9e7a5217...
So engineer-like.
Also in Australia
https://www.geekersdigest.com/windows-blue-screen-crash-caus... https://www.timesnownews.com/technology-science/latest-crowd...
This is gonna be a tough Friday for IT departments...
1. Rename csagent.sys ( the file causing the BSOD ) 2. Rename c:\windows\System32\Drivers\Crowdstrike
Again, do this at your own risk. Both workaround have been reported as "working". I am Linux user so I cannot tell.
1.enter in drive C: 2.system 32 folder 3. Drivers 4. Rename crowdstrike folder to something else doesent matter what.
A Crowdstrike update being able to blue-screen Windows Desktops and Servers.
Whilst Crowdstrike are going to cop a potentially existential-threatening amount of blame, an application shouldn't be able to do this kind of damage to an operating system. This makes me think that, maybe, Crowdstrike were unlucky enough to have accidentally discovered a bug that affects multiple versions of Windows (ie. it's a Windows bug, maybe more-so than it is a Crowdstrike bug).
There also seems to have been a ball-dropped in regards to auto-updating all the things. Yes, gotta keep your infrastructure up to date to prevent security incidents, but is this done in test environments before it's put into production?
Un-audited dependence on an increasingly long chain of third-parties.
All the answers are difficult, time consuming, and therefore expensive, and are only useful in times like now. And if everyone else is down, then there's safety in the crowd. Just point at "them too", and stay the path. This isn't a profitable differentiation. But it should be! (raised fists towards the sky).
Antivirus software by its nature probably needs the kind of access that would let it bluescreen your computer.
And there's a certain amount of sense to that, it has to get "under" the layer that viruses can typically get to, but I still think there should be another layer at which the OS is protected from misbehaving anti-virus software (which has been known to happen).
Originally, x86 processors had 4 levels of hardware protection, from ring 0 up to ring 3 (if I remember right). The idea was indeed that non-OS drivers could operate at the intermediate levels. But no one used them and they're effectively abandoned now. (There's "level -1" now for hypervisors and maybe other stuff but that's besides the point.)
Whether those x86 were really suitable or not is not exactly important. The point is, it's possible to imagine a world where device drivers could have less than 100% permissions.
I understand I'm yelling into the storm here, because anti-virus also requires that level of system access due to the nature of what it's trying to detect. But then again, does it only need Ring 0 access for the worst of the worst? Can it run 99% of the time in Ring 1, or user space, and only instantiate it's Ring 0 privileges for regular but infrequent scans or if it detects something else may be 'off'?
Default Ring 0? Earn it.
This turns into a "what's your threat level" discussion.
https://en.wikipedia.org/wiki/Protection_ring#Miscellaneous
It doesn't operate in user space, they install a kernel driver.
And therein lies the problem!
Most things that third-party kernel drivers used to do (device drivers, file systems, etc) are now done just as well, and much more safely, in userspace. I'm surprised if Microsoft isn't heading in this direction too?
Presumably, Crowdstrike runs on macOS without a kernel extension?
That's correct: CrowdStrike now only installs an "Endpoint Security" system extension and a "Network" system extension on macOS, but no kernel extension anymore.
This is a syscall used by userspace to tell the kernel which memory portion is allowed to do syscalls
This syscall can only be used once : once the linker has done it, the kernel will refuse extra calls (so allowing more memory pages is not possible)
Second, still, that doesn't change anything. You can make your malware jmp to anywhere so that the syscall actually comes from an authorized page.
In fact, in windows environment, this is actively done ("indirect syscalls"), because indeed, having a random executable directly calling syscalls is a clear indicator that something is malicious. So they take a detour and have a legitimate piece of code (in ntdll) do the syscall for them.
As PC got faster, Microsoft could have returned to the microkernel architecture, or at least focused on isolating drivers better.
You can, for instance, ask a running kernel if it is "tainted" by having loaded a non-GPL module.
I can, considering that you can do that from user space using strace. Or ebpf which is probably the actual right way to do this kind of thing.
And I bring up the distinction because while compliance is "sometimes" about safety, it's also very often about KPIs of particular individuals or due to imaginary liability for having not researched every possible "compliance" checkbox conceivable and making sure it's been checked.
Some computer security software is completely out of hand because its primary purpose is to have the appearance of effectiveness for the exec whose job is to tick off as many safety checkboxes as they can find, as opposed to being actually pragmatically effective.
If the same methodologies were applied to car safety, cars would be so weighed down by safety features, that they wouldn't be able to go faster than 40km/h.
Should you upgrade before 24.04.1 is released? It's scheduled for August 15.
https://learn.microsoft.com/en-us/windows-hardware/drivers/i...
Point of information. "Guarantee" and "any" are unsubstantiated by that MS article.
> an ELAM driver can't be guaranteed to load before another ELAM driver of course,
Thanks for the correction.
Yeah, this is what surprises me. Corporate infrastructure policy seems to have been matched to smart phone default settings.
These people report to the Board Chairman, don't understand any real implication of their work, and believe the world is a simplistic Red - Amber - Green grid.
I understand most CIOs / CTOs / CISOs in Corporate would buckle.
While virus scanners might pick up some threats not addressed by OS updates yet every one of them I've seen is a rootkit in disguise wanting full system privileges. There are numerous incidents with security holes and crashes caused by these security products. They also aren't that clever: repeatedly scanning the same files 'on access' over and over again wasting CPU and IO is not going to give you any extra security.
CS has official RCE root/admin access on all the clients. Which skips any normal auth of the OS. Yes, on all windows, mac and linux.
Where you're correct is that it's on the administrators to rollout the updates, but I'm not sure that's how Crowdstrike works. It's a managed solution and updates are done for you, maybe that can be disabled, but I honestly don't know.
CS is not sold to SA or technical types. It's sold to management as a risk reduction.
The whole point is that if you are technical, you are so untrusted that management is willing to require circumvention of known good practices and force installation of this software against technical advice.
This is due to their price making them relatively more available to the enthusiasts than say Hellcats, enthusiasts who may not be experienced enough to deal with having that much power available to them in a RWD car. This confluence of power, confidence and lack of skill often comes to a head when the enthusiast goes to a car meet to show off and meet with like minded folks. At the conclusion of the meet, or during a group drive, they'll often pull a sick burnout as they pull out of the parking lot on to a street.
A sick burnout they haven't practiced, and will often cause them to lose the back end sending the car into the curb, a tree, or a crowd of like minded attendees at the car meet. Therefore, the reputation.
For example: https://www.youtube.com/watch?v=DPx5aBI8UTQ
Also heard today crowd stroke.
sounds like they didnt test all cases and stumbled on a windows bug
He actually threatened to fire us as a client because he claimed he didn’t want the CS brand associated with an org that wasn’t “fully protected” by CS. By far the worst vendor contact I’ve ever had. I’ve had nicer meetings with Oracle lawyers than I was having with this guy. I hope this sort of thing humbles them a little.
Evidence is pointing towards him actually being right about this, despite likely being wrong about everything else.
It'd be worth giving him a call, just to check in how he's going, and take him up on the offer to fire you as a client.
Hopefully not. It would be better that this company is sued into oblivion by all the customers that were affected by this huge outage.
If their mission is to protect businesses they should understand your concerns.
Speed is useless without control.
We had a buggy client release during the rollout which consumed all the CPU in one of our test environments (something he assured us could never happen), and he calmed down a bit after that. Prior to that though he was doing stuff like finding our CISO on LinkedIn to let him know how worried he was about our rollout pace, and that without CS protection a major breach could be imminent.
For example, the way Oracle's lawyers are known.
What I hope, is that they stop to exist as a product and as a company. They have caused inconvenience, economic damage in global scale and probably also loss of life, given that many hospitals, ER units had outages. It has been proven that their whole way of working is wrong, from the very foundation to the top.
Concerns about usability between Windows and Linux in the modern day are disingenuous at best and malicious at worst. There is no UX concern when everything runs off a webapp these days.
Just use Linux. You will save money and time, and your system will be supported for many years, you won't be charged per E-Core, you won't suffer BSoDs in 2024. Red Hat is a trustworthy American company based out of Raleigh, NC, in case you have concerns of provenance.
Really there's no downside. If you were building your own company you would base your tech stack on Linux and not Windows.
Critical systems cannot go down; therefore they cannot run Windows. If they do, they are being mismanaged and run negligently. Management should have no issue finding Linux engineers, they are everywhere. I could make a killing right now as a consultant going from company to company and just swapping out Windows backends for Linux. And quite frankly I might just do that, literally starting right now.
It is an incredibly frustrated battle akin to Sisyphus.
Granted it didn't down linux this time but nothing is stopping it.
My work laptop is running Ubuntu, and corporate IT requires Symantec Antivirus to be running on it
Only if you don't need a GUI/Desktop.
I not only need a GUI/Desktop, it's my daily driver!
And there are precious few things that Windows GUI/Desktop provides which I don't have on Linux, while the reverse is never true.
When I used Mac (Big Sur, I think?) until a year ago, I was absolutely miserable about having to use such a primitive GUI.
Every system gets attacked, but I think your point shows that even with state-level attacks Linux handles it better than other platforms.
I'd also say this wasn't a good example of 'linux handling it better': usually when a mess like this occurs on windows all the corps get a quiet tap on the shoulder that they need to immediately patch when MS releases it, then a few days later it hits the news. In XZ's case, the backdoor was published before the team knew about it, huge mess.
> all the corps get a quiet tap on the shoulder that they need to immediately patch when MS releases it, then a few days later it hits the news
AFAIK, distros were notified and released a patched version of xz like a week before it hit the news, so at least a lot of machines received it via automatic updates.
I would say issue 1 is management/compliance forcing admins to install malwares like crowdstrike. But issue 1 is because of issue 2 which is about admins / app devs / users aren't smart enough to not have their machines compromised on a regular basis in the first place. And issue 2 is because issue 3 of the software industry not focusing on quality and making bug free software.
All in all this should be mitigated by more diversity in OS, software and "said security solution". Standardization and monopolies works well until they don't and you get this kind of shit.
But would it crash the OS?
Windows actually runs a lot of drivers in user-mode, even GPU drivers. largely this is because third-party drivers were responsible for the vast majority of blue screens, but the users would blame Microsoft. which makes sense; Windows crashes so they blame Windows, but I doubt anyone blamed Linux for the kernel panic.
Maybe this is just my ignorance about windows and its ecosystem but it seems most admins this morning were clueless on how to fix that automatically and remotely on n machines and would resort to boot in safe mode and remove a file manually on each single server. This is just insane to think that supposed windows sysadmins / cloudops have no idea how to deploy a fix automatically on that platform.
Falcon sensor is the most CPU intensive app running in the cluster and produces a constant stream of disk activity (more so than any of our apps).
It hasn't crashed anything yet but it definitely leaves me feeling iffy about running it.
I don't like CrowdStrike at all. I got contacted by our security department because I used curl to download a file from GitHub on my dev box and it prompted a severe enough security warning that it required me to explain my intent. That was the day I learned I guess every command or maybe even keystroke I type is being logged and analyzed.
https://access.redhat.com/solutions/7068083
https://forums.rockylinux.org/t/crowdstrike-freezing-rockyli...
An issue might not be as universal as on windows, because some distros do things differently like not using glibc, or systemd, or whatever. Yet there are some baselines common to the most popular ones.
Companies like CS live on reputation, it should be dragged down.
I switched critical systems to illumos and BSD years ago and it's been smooth sailing ever since. Nowadays there really is no need to contribute to linux monoculturization whatsoever.
> Linux being the most advanced operating system in the world without question.
Very strong and mostly unfounded claim; there are specific aspects where Linux is "more advanced", and others where Windows come out ahead (e.g. almost anything related to hardware-based security and virtualization).
> your system will be supported for many years
Windows Server 2008 was supported until earlier this year, longer than any RHEL release.
> you won't suffer BSoDs in 2024
Until you install a shitty driver for a dubious (anti)malware service.
https://www.computerworld.com/article/1642872/q-a-microsoft-...
https://betanews.com/2006/10/18/mcafee-ms-failing-to-provide...
Update: 911 is down in Oregon too, no more ambulances at least.