Kevin BeaumontCrowdstrike published a faulty update. Causes Windows to bluescreen. Driver is C-00000291*.sys. Will cause worldwide outages. Thread follows, I suspect. 🧵
I am obtaining a copy of the driver to see if malicious or bad coding, if anybody else checking let me know.
If anybody is wondering the impact of the Crowdstrike thing - it’s really bad. Machines don’t boot.
The recovery is boot in safe mode, log in as local admin and delete things - which isn’t automateable. Basically Crowdstrike will be in very hot water.
You know it was coming...
Crowdstrike's BSOP theme tune
Favour to IT folks fixing - could you please copy the C-00000291*.sys file to somewhere and upload it to Virustotal, and reply with the Virustotal link or file hash? It's still unclear if the update was malicious or just a bug.
I've obtained copies of the .sys driver files Crowdstrike customers have. They're garbage. Each customer appears to have a different one.
They trigger an issue that causes Windows to blue screen.
I am unsure how these got pushed to customers. I think Crowdstrike might have a problem.
For any orgs in recovery mode, I'd suspend auto updates of CS for now.
If anybody is wondering, the update was delivered via channel file updates in Crowdstrike.
BBC tracker (they mix up an earlier Microsoft outage, what they're actually tracking is the Crowdstrike issue) https://www.bbc.co.uk/news/live/cnk4jdwp49et
The .sys files causing the issue are channel update files, they cause the top level CS driver to crash as they're invalidly formatted. It's unclear how/why Crowdstrike delivered the files and I'd pause all Crowdstrikes updates temporarily until they can explain.
This is going to turn out to be the biggest 'cyber' incident ever in terms of impact, just a spoiler, as recovery is so difficult.
CrowdStrike's shares are down 20% in pre-market.
I'm seeing people posting scripts for automated recovery.. Scripts don't work if the machine won't boot (it causes instant BSOD) -- you still need to manually boot the system in safe mode, get through BitLocker recovery (needs per system key), then execute anything.
Crowdstrike are huge, at a global scale that's going to take.. some time.
Crowdstrike statement: https://www.bbc.co.uk/news/live/cnk4jdwp49et?post=asset%3A0c379e1f-48df-493c-a11a-f6b1e3d1eb63#post
Basically 'it's not a security incident... we just bricked a million systems'
For anybody wondering why Microsoft keep ending up in the frame, they had an Azure outage and- this may be news to some people- a lot of Microsoft support staff are actually external vendors, eg TCS, Mindtree, Accenture etc.
Some of those vendors use Crowdstrike, and so those support staff have no systems.
But MS isn’t the outage cause today.
JaxxAI@GossiTheDog they kind of are in the frame.... their kernel shouldn't shit its pants when a driver goes bad or doesn't load properly.
gigantos@JaxxAI @GossiTheDog yes it should. Unless they changed it to a model where each driver has a dedicated address space and can't alter memory for other parts of the kernel. You should not catch "corrupted memory" exceptions and ignore them, as you have no idea if said corrupted memory is important to the rest of the system.
The same applies to most widely used kernels such as Linux.
Having drivers running outside the kernel is a great idea though, but hard due to performance. #Redox makes a pretty decent attempt
@gigantos @GossiTheDog OR just don't load it in the first place if its bad. Linux can taint bad drivers and not crash though, giving you the opportunity to sort the issue.
@JaxxAI @GossiTheDog so can Windows, and it will use the last known good configuration. But unfortunately there are exceptions.
And in many cases, you can't know who caused an issue. The altered memory may not be attributed to the faulting driver at all.
@gigantos @GossiTheDog I'm under the impression the sys driver file is unsigned garbage. Under no circumstances should the kernel be loading it. At reboot, it should not load this file and let the user into Windows where an error pops up about driver not loaded. The admins then automate a fix rollout and all good. End users just need to reboot when BSOD occurs. My opinion is the kernel should not BSOD due to a garbage sys file like this at boot, that's a security hole in its own right.
@JaxxAI @GossiTheDog I don't disagree with your wish.
I just try to point out this is no better elsewhere. On windows a driver must be signed to be loaded, either by a catalogue file or embedded in the file itself.
I'm out traveling, so can't verify myself, but in this case, I suspect it's a data file named as a driver, and that another signed driver loads it. Nothing would stop this from happening on other operating systems.