CrowdStrike, which caused a crash on 8.5 million Windows PCs on July 19, 2024, described the entire situation in detail on its blog. The failure occurred due to a logical error in updating the sensor configuration for Windows systems that use the Falcon security platform.
Systems running Falcon Sensor for Windows 7.11 and above that downloaded the updated configuration between 04:09 UTC and 05:27 UTC were "prone to a system crash."
These configuration files are called "Channel Files" and are part of the behavioral protection mechanisms used by the Falcon detector. Updating the Channel Files is a normal part of the detector's operation and occurs several times a day in response to new tactics, techniques, and procedures discovered by CrowdStrike.
On Windows systems, channel files are located in the following path:
C:\Windows\System32\drivers\CrowdStrike\
These files have a name that begins with "C-". Each channel file is assigned a number as a unique identifier. The channel file impacted in this event is number 291 and has a filename that begins with "C-00000291-" and ends with a .sys extension.
The channel file 291 controls how Falcon evaluates the execution of the named channel pipe1 on Windows systems. Named channels are used for normal, interprocess, or cross-system communication on Windows.
The update that caused the problem was aimed at newly discovered malicious named channels used by common C2 frameworks in cyberattacks.
CrowdStrike has fixed the logic error by updating the content in the channel 291 file. No additional changes will be made to the channel 291 file other than the updated logic. This has nothing to do with the zero bytes contained in channel file 291 or any other channel file.
The company writes that systems running Linux and macOS do not use the channel 291 file and have not been affected. However, The Register adds "this time".
In June, Red Hat (the developer of the Fedora distribution) warned its customers about "Kernel panic after downloading 5.14.0-427.13.1.el9_4.x86_64 with the falcon-sensor process", which affected some Red Hat Enterprise Linux 9.4 users.
Another error message, "System crashed at cshook_network_ops_inet6_sockraw_release+0x171a9," recommended that users "seek help with the falcon_lsm_serviceable kernel module provided with CrowdStrike Falcon Sensor/Agent security software."
Red Hat also advised that "disabling the CrowdStrike Falcon Sensor/Agent software ... will reduce the number of crashes and provide temporary system stability."
Linux kernel panics and Windows "blue screens of death" are generally comparable. The occurrence of a kernel panic just a few weeks before CrowdStrike broke many Windows implementations hints that the problem is not just one bad update.