BSOD error due to crowdstrike.

On July 19, 2024, at 04:09 UTC, CrowdStrike released a sensor configuration update to Windows systems. which caused a logic error, resulting in system crashes and blue screens (BSOD) on affected systems. The issue was resolved on July 19, 2024, at 05:27 UTC. The problem was not related to a cyberattack.

Affected customers were those using Falcon sensor for Windows version 7.11 and above, who were online between 04:09 UTC and 05:27 UTC on July 19, 2024. Systems running these versions that downloaded the update during this period were susceptible to crashes.

The configuration files, known as "Channel Files," are part of Falcon's behavioral protection mechanisms. Updates to these files are routine and address new tactics, techniques, and procedures. Channel File 291, which was involved in this event, controls Falcon’s evaluation of named pipe execution on Windows systems.

Channel Files in C:\Windows\System32\drivers\CrowdStrike\ and start with “C-”. Channel File 291 (filename starts with “C-00000291-” and ends with .sys) was the file involved in the issue. The update aimed to target malicious named pipes used by common C2 frameworks but caused a logic error leading to crashes.

CrowdStrike corrected the logic error in Channel File 291. Updated logic in Channel File 291 will continue to evaluate and protect against named pipe abuse. Systems not impacted will continue to operate normally and are not at risk of future occurrences of this event. Linux and macOS systems were unaffected as they do not use Channel File 291. A thorough root cause analysis is ongoing to understand how the logic flaw occurred.

Well, CrowdStrike broke Red Hat Linux too, and very few knew. Kernel panic observed after booting 5.14.0-427.13.1.el9_4.x86_64 by falcon-sensor process.