Security News > 2024 > July > CrowdStrike blames a test software bug for that giant global mess it made

CrowdStrike has blamed a bug in its own test software for the mass-crash-event it caused last week.

Rapid response content is delivered in those channel files as so-called "Template instances," which CrowdStrike describes as "Instantiations of a given template type." Thus, the rapid response content relies on template code defined by the base sensor content, and each piece of this response content is a template instance.

In February 2024, CrowdStrike introduced a new "Inter-process communication template type" for rapid response content to use that the vendor designed to detect "Novel attack techniques that abuse Named Pipes." The IPC template type passed testing on March 5, and a rapid response template instance was released to use it.

On July 19, CrowdStrike introduced two more IPC template instances.

One included "Problematic content data," but made it into production anyway, because of what CrowdStrike described as "a bug in the content validator."

As we concluded in our earlier analysis of the crash, Falcon loaded and parsed the new content and became confused by the broken template instance, which "Resulted in an out-of-bounds memory read triggering an exception" within CrowdStrike's Windows driver-level code, which would bring down the whole box.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/07/24/crowdstrike_validator_failure/