Congressman Ritchie Torres (NY-15) has called on the Department of Homeland Security to investigate the recent outage at CrowdStrike, an American cybersecurity technology company, which he said resulted in diverse consequences.

 

In a letter addressed to the HSI dated Friday, July 19, the congressman wrote in part, “Crowdstrike, an internationally recognized U.S. cybersecurity software company, suffered a massive a global “outage,” which has prevented people from withdrawing money from ATMs, grounded flights, and impacting healthcare services.”

 

The congressman, who represents a large section of The Bronx, stretching form the northwest to the South Bronx, continued, “According to Crowdstrike’s President and CEO, the precise cause of the outage ‘…is not a security or cyberattack. The issue has been identified, isolated, and a fix has been deployed,’ but stems from a software update.”

 

Torres added, “Even though the cause of the outage has been determined, the sheer number of systems that have broken breakdown raises concerns about the cyber vulnerabilities of our critical infrastructure systems grinding to a halt based on a software update. At a time when cyberattacks are rising in both scope and sophistication, modernizing our local, state and federal cybersecurity systems is paramount, and ensuring they are able to not only accept the software update, but to function after the update is the bare minimum.”

 

The letter continued, “I am therefore writing to request that the Department of Homeland Security (DHS) in partnership with the Critical and Infrastructure Security Agency (CISA), and the Cyber Safety Review Board (CSRB) to conduct a joint investigation of this software update failure, and impact it has had [on] the cyber vulnerabilities of all systems, such as NOTAM and ATC, underlying air travel.”

 

On Friday, George Kurtz, president and CEO of CrowdStrike, who is a former CEO of Foundstone, a former CTO of McAfee, and author of “Hacking Exposed,” announced, further to the outage, that it was actively working with customers impacted by “a defect found in a single content update for Windows hosts.”

 

The statement went on to read in part, “Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website. We further recommend organizations ensure they’re communicating with CrowdStrike representatives through official channels. Our team is fully mobilized to ensure the security and stability of CrowdStrike customers.”

 

A further update on Friday from Kurtz read, “Today was not a security or cyber incident. Our customers remain fully protected. We understand the gravity of the situation and are deeply sorry for the inconvenience and disruption. We are working with all impacted customers to ensure that systems are back up and they can deliver the services their customers are counting on.” 

 

Committing to sharing further updates once available, he added in part, “As noted earlier, the issue has been identified and a fix has been deployed. There was an issue with a Falcon content update for Windows Hosts.” 

 

Kurtz later continued, “All of CrowdStrike continues to work closely with impacted customers and partners to ensure that all systems are restored. I’m sharing the letter I sent to CrowdStrike’s customers and partners. As this incident is resolved, you have my commitment to provide full transparency on how this occurred and the steps we’re taking to prevent anything like this from happening again. We are working on a technical update and root cause analysis that we will share with everyone as well.”

The following technical update was also provided:

What Happened?

On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems. Sensor configuration updates are an ongoing part of the protection mechanisms of the Falcon platform. This configuration update triggered a logic error resulting in a system crash and blue screen (BSOD) on impacted systems.

The sensor configuration update that caused the system crash was remediated on Friday, July 19, 2024 05:27 UTC.

This issue is not the result of or related to a cyberattack.

Impact

Customers running Falcon sensor for Windows version 7.11 and above, that were online between Friday, July 19, 2024 04:09 UTC and Friday, July 19, 2024 05:27 UTC, may be impacted.

Systems running Falcon sensor for Windows 7.11 and above that downloaded the updated configuration from 04:09 UTC to 05:27 UTC – were susceptible to a system crash.

Configuration File Primer

The configuration files mentioned above are referred to as “Channel Files” and are part of the behavioral protection mechanisms used by the Falcon sensor. Updates to Channel Files are a normal part of the sensor’s operation and occur several times a day in response to novel tactics, techniques, and procedures discovered by CrowdStrike. This is not a new process; the architecture has been in place since Falcon’s inception.

Technical Details

On Windows systems, Channel Files reside in the following directory:

C:\Windows\System32\drivers\CrowdStrike\

and have a file name that starts with “C-”. Each channel file is assigned a number as a unique identifier. The impacted Channel File in this event is 291 and will have a filename that starts with “C-00000291-” and ends with a .sys extension. Although Channel Files end with the SYS extension, they are not kernel drivers.

Channel File 291 controls how Falcon evaluates named pipe¹ execution on Windows systems. Named pipes are used for normal, interprocess or intersystem communication in Windows.

The update that occurred at 04:09 UTC was designed to target newly observed, malicious named pipes being used by common C2 frameworks in cyberattacks. The configuration update triggered a logic error that resulted in an operating system crash.

Channel File 291

CrowdStrike has corrected the logic error by updating the content in Channel File 291. No additional changes to Channel File 291 beyond the updated logic will be deployed. Falcon is still evaluating and protecting against the abuse of named pipes.

This is not related to null bytes contained within Channel File 291 or any other Channel File.

Remediation

The most up-to-date remediation recommendations and information can be found on our blog or in the Support Portal.

We understand that some customers may have specific support needs and we ask them to contact us directly.

Systems that are not currently impacted will continue to operate as expected, continue to provide protection, and have no risk of experiencing this event in the future.

Systems running Linux or macOS do not use Channel File 291 and were not impacted.