Security Firm Discloses CrowdStrike Issue After ‘Ridiculous Disclosure Process’
Following what it generally known as a “ridiculous vulnerability disclosure course of,” a security agency disclosed particulars of a difficulty with a CrowdStrike product. Following the disclosure, CrowdStrike clarified just some points.
Researchers at Swiss security company Modzero discovered a flaw in CrowdStrike’s Falcon endpoint detection and response instrument. Notably, the Falcon Sensor, a lightweight agent put in on each end gadget, is the difficulty. Sensor uninstall security might be configured to cease elimination and never utilizing a particular token.
Modzero discovered that an attacker with administrator rights would possibly disable token verification on Dwelling home windows models and uninstall the sensor in an effort to disable the protection provided by CrowdStrike’s product.
On account of elevated privileges required for exploitation, the company acknowledged that “the overall menace of the vulnerability is relatively restricted,” nonetheless nonetheless chosen to complain regarding the disclosure course of in a weblog put up along with a technical advisory explaining the issue.
The disclosure course of was troublesome for Modzero because of it didn’t want to submit its findings by CrowdStrike’s HackerOne bug bounty program.
In early June, Modzero began soliciting information from CrowdStrike a few fully totally different strategy of reporting its outcomes that didn’t comprise working with HackerOne or agreeing to a non-disclosure settlement.
In the long term, Modzero emailed its findings to CrowdStrike in late June, nonetheless the agency was initially unable to duplicate the issue, later claiming that it didn’t appear to be a genuine vulnerability.
Really, the vendor had taken some precautions to cease exploitation, along with determining Modzero’s proof-of-concept (PoC) vulnerability as malicious, which Modzero discovered when it later examined its findings on a extra moderen mannequin of CrowdStrike Falcon.
“Falcon installs and uninstalls on Dwelling home windows applications using the Microsoft Installer (MSI) harness. To hold out secondary actions all through an arrange or uninstall, equal to performing system checks or, on this case, verifying an uninstall token, Microsoft recommends using Custom-made Actions (CAs) by msiexec.exe.
All through a Falcon uninstall, quite a few circumstances of msiexec.exe run in parallel performing quite a few duties. Thought-about one in every of these duties makes use of a custom-made movement (CA) to confirm for the presence of a reputable uninstall token for Falcon. Beneath common conditions, if that verification fails or can’t be completed, the MSI logic stops the uninstall course of and notifies the buyer {{that a}} reputable uninstall token is required.
As revealed by modzero, an space administrator can bypass this inside Microsoft’s MSI implementation, the place msiexec.exe will proceed an uninstall course of if a CA terminates with out returning (equal to when that course of fails or is intentionally aborted). In essence, the MSI fails to open (unexpectedly) in its place of failing to close (anticipated).”
