CrowdStrike is dismissing an explosive claim from a Chinese security research firm that the Falcon EDR sensor bug that blue-screened millions of Windows computers could be exploited for privilege escalation or remote code execution.
According to technical documentation published by Qihoo 360 (see translation), the direct cause of the BSOD loop is a memory corruption issue during opcode verification, opening the door for potential local privilege escalation of remote code execution attacks.
“Although it seems that the memory cannot be directly controlled here, the virtual machine engine of `CSAgent.sys` is actually Turing-complete, just like the Duqu virus using the font virtual machine in atmfd.dll, it can achieve complete control of the external (ie, operating system kernel) memory with specific utilization techniques, and then obtain code execution permissions,” Qihoo 360 said.
“After in-depth analysis, we found that the conditions for LPE or RCE vulnerabilities are actually met here,” the Chinese anti-malware vendor said.
Just one day after publishing a technical root cause analysis on the issue, CrowdStrike published additional documentation with a dismissal of “inaccurate reporting and false claims.”
[The bug] provides no mechanism to write to arbitrary memory addresses or control program execution — even under ideal circumstances where an attacker could influence kernel memory. “Our analysis, which has been peer reviewed, outlines why the Channel File 291 incident is not exploitable in a way that achieves privilege escalation or remote code execution,” said CrowdStrike vice president Adam Meyers.
Meyers explained that the bug resulted from code expecting 21 inputs while only being provided with 20, leading to an out-of-bounds read. “Even if an attacker had complete control of the value being read, the value is only used as a string containing a regular expression. We have investigated the code paths following the OOB read in detail, and there are no paths leading to additional memory corruption or control of program execution,” he declared.
Meyers said CrowdStrike has implemented multiple layers of protection to prevent tampering with channel files, noting that these safeguards “make it extremely difficult for attackers to leverage the OOB read for malicious purposes.”
He said any claim that it is possible to provide arbitrary malicious channel files to the sensor is false, nothing that CrowdStrike prevents these types of attacks through multiple protections within the sensor that prevent tampering with assets (such as channel files) when they are delivered from CrowdStrike servers and stored locally on disk.
Myers said the company does certificate pinning, checksum validation, ACLs on directories and files, and anti-tampering detections, protections that “make it extremely difficult for attackers to leverage channel file vulnerabilities for malicious purposes.”
CrowdStrike also responded to unidentified posts that mention an attack that modifies proxy settings to point web requests (including CrowdStrike traffic) to a malicious server and argues that a malicious proxy cannot overcome TLS certificate pinning to cause the sensor to download a modified channel file.
From the latest CrowdStrike documentation:
- The out-of-bounds read bug, while a serious issue that we have addressed, does not provide a pathway for arbitrary memory writes or control of program execution. This significantly limits its potential for exploitation.
- The Falcon sensor employs multiple layered security controls to protect the integrity of channel files. These include cryptographic measures like certificate pinning and checksum validation and system-level protections such as access control lists and active anti-tampering detections.
- While the disassembly of our string-matching operators may superficially resemble a virtual machine, the actual implementation has strict limitations on memory access and state manipulation. This design significantly constrains the potential for exploitation, regardless of computational completeness.
- Our internal security team and two independent third-party software security vendors have rigorously examined these claims and the underlying system architecture. This collaborative approach ensures a comprehensive evaluation of the sensor’s security posture.
CrowdStrike previously said the incident was caused by a confluence of security vulnerabilities and process gaps and vowed to work with software maker Microsoft on secure and reliable access to the Windows kernel.
Related: CrowdStrike Releases Root Cause Analysis of Falcon Sensor BSOD Crash
Related: CrowdStrike Says Logic Error Caused Windows BSOD Chaos
Related: CrowdStrike Faces Lawsuits From Customers, Investors
Related: Insurer Estimates Billions in Losses in CrowdStrike Outage Losses
Related: CrowdStrike Explains Why Bad Update Was Not Properly Tested
