On August 22, 2022, modzero published a blog post that included their proof of concept code and submitted a CVE entry citing that blog post (at time of writing, this CVE is still under analysis).įalcon is installed and uninstalled on Windows systems using the Microsoft Installer (MSI) harness. On August 12, 2022, after additional research and documentation, CrowdStrike submitted a bug report to Microsoft detailing the issue with Microsoft Installer (MSI) custom actions. The security firm modzero was credited with the disclosure and discovery of the issue. On July 8, 2022, CrowdStrike disclosed this issue to its customers via a tech alert. On June 29, 2022, CrowdStrike was contacted by security firm modzero concerning a security issue with the Falcon uninstall process and provided technical details and proof of concept code. Today that Tech Alert was updated to include the details below. On July 8, 2022, customers were notified of the findings via a Tech Alert.CrowdStrike added detection and prevention logic to detect and prevent similar behavior from the Microsoft Installer (MSI) engine.To quote the researchers, “the exploit needs high privileges the overall risk of the vulnerability is very limited.”.CrowdStrike has reported the issue to Microsoft. The main issue is a fail-open condition in the Microsoft Installer (MSI) harness.The researchers provided technical information and a proof of concept demonstrating that a user with elevated privileges, and specialized software, could uninstall the Falcon Sensor for Windows without inputting an uninstallation token. On June 29, 2022, CrowdStrike was contacted by security firm modzero concerning an issue with the Falcon uninstall process.The original, more succinct, response can be viewed here. There is quite a bit of confusion about a researcher's blog post, so I'm posting this here to make all the information available to you. Windows Sensor versions 6.45+ are not impacted by this issue. For this reason, we've modified the Falcon Windows Installer to account for MSI Custom Actions failing open. UPDATE - At time of writing this update, Microsoft has yet to respond to our security escalation. UPDATE - All supported sensor versions have been hotfixed. Live chat available 6-6PT M-F via the Support Portal No SLA for assistance - CrowdStrike Customer Success advises you to engage with a Support case to express any high priority issues.Your Views Are Your Own - Topics and comments on /r/crowdstrike do not necessarily reflect official views of CrowdStrike.Avoid entering sensitive information from which your identity is apparent or can be reasonably ascertained.Do not post disparaging comments about competitive products or otherwise. Posts must be about CrowdStrike products and/or product functionality.No SLA for assistance - CrowdStrike Customer Success advises you to engage with a Support case to express any high priority issues.Search by: Query Help Troubleshooting Feature Questions Feature Requests (requires login) RULES Subreddit Rules. Search by: Query Help Troubleshooting Feature Questions Feature Requests (requires login) RULES Subreddit Rules
0 Comments
Leave a Reply. |