CERT-In Advisory
CIAD-2024-0035
Outage of Microsoft Windows due to CrowdStrike agent Falcon Sensor update
Original Issue Date: July 19, 2024
Severity Rating: Critical
Systems Affected
- Systems running CrowdStrike Falcon Sensor for Windows 7.11 and above that downloaded the updated configuration from July 19, 2024 04:09 UTC to July 19, 2024 05:27 UTC
Description
It has been reported that Windows hosts related to CrowdStrike agent "Falcon Sensor" are facing outages and getting crashed due to recent update received in the product. The concerned windows hosts are experiencing a "Blue Screen of Death (BSOD)" related to Falcon Sensor.
Workarounds:
The issues occurred in the latest update of CrowdStrike and the changes have been reverted by the Crowd Strike Team.
If hosts are still crashing and unable to stay online to receive the Channel File Changes, the following steps can be used as work around for this issue:
- Boot Windows into Safe Mode or the Windows Recovery Environment
- Navigate to the C:WindowsSystem32driversCrowdStrike directory
- Locate the file matching "C-00000291*.sys", and delete it.
- Boot the host normally.
Also, users are advised to check the latest updates from Crowd Strike portal.
https://supportportal.crowdstrike.com/
Solution
Apply latest update from vendor website
https://supportportal.crowdstrike.com/
Vendor Information
CrowdStrike
https://supportportal.crowdstrike.com/
https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
References
Microsoft
https://azure.status.microsoft/en-us/status
https://techcommunity.microsoft.com/t5/intune-customer-success/new-recovery-tool-to-help-with-crowdstrike-issue-impacting/ba-p/4196959
https://blogs.microsoft.com/blog/2024/07/20/helping-our-customers-through-the-crowdstrike-outage/
https://techcommunity.microsoft.com/t5/azure-compute-blog/recovery-options-for-azure-virtual-machines-vm-affected-by/ba-p/4196798
CrowdStrike
https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/
https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
Amazon AWS
https://health.aws.amazon.com/health/status
https://repost.aws/en/knowledge-center/ec2-instance-crowdstrike-agent
Google Cloud Platform
https://www.crowdstrike.com/wp-content/uploads/2024/07/Automated-Recovery-from-Blue-Screen-on-Windows-Instances-in-GCP.pdf
https://github.com/CrowdStrike/gcp-cf-remediation
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-22902657
Postal address
Indian Computer Emergency Response Team (CERT-In) Ministry of Electronics and Information Technology Government of India Electronics Niketan 6, CGO Complex, Lodhi Road, New Delhi - 110 003 India
|