Remediation and Guidance Hub: Channel File 291 Incident

What We Did and What’s Next

Based on the findings in the RCA, here are some of the actions CrowdStrike has taken and will take moving forward:

• Update Content Configuration System test procedures. This work has been completed. This includes upgraded tests for Template Type development, with automated tests for all existing Template Types. Template Types are part of the sensor and contain predefined fields for threat detection engineers to leverage in Rapid Response Content.
• Add additional deployment layers and acceptance checks for the Content Configuration System. This work has been completed with an updated deployment ring process, ensuring Template Instances pass successive deployment rings before rollout into production.
• Provide customers additional control over the deployment of Rapid Response Content updates. New capabilities have been implemented and deployed to our cloud that allow customers to control how Rapid Response Content is deployed, with additional functionality planned for the future.
• Prevent the creation of problematic Channel 291 files. Validation for the number of input fields has been implemented to prevent this issue from happening.
• Implement additional checks in the Content Validator. Additional checks are planned for release into production by August 19, 2024.
• Enhance bounds checking in the Content Interpreter for Rapid Response Content in Channel File 291. Bounds checking was added on July 25, 2024, with general availability expected August 9, 2024. These fixes are being backported to all Windows sensor versions 7.11 and above through a sensor software hotfix release.
• Engage two independent third-party software security vendors to conduct further review of the Falcon sensor code and end-to-end quality control and release processes. This work has begun and will be ongoing as part of our focus on security and resilience by design.

For additional details and defined terms, please refer to the RCA.

We are using the lessons learned from this incident to better serve our customers. To this end, we have already taken decisive steps to help prevent this situation from repeating, and to help ensure that we — and you — become even more resilient. The Root Cause Analysis (RCA) and executive summary are available on our guidance hub and provide more detail on the Channel File 291 incident and how we are further enhancing our processes.

We are deeply sorry for the impact this had on you. Nothing is more important than regaining your trust and confidence. Since our founding, we have always put customer protection at the forefront. This has been our North Star, and it continues to be our focus every single day.

I want to extend my personal thanks to each of you; your continued partnership, and the countless expressions of support we have received over the past two weeks, have been incredibly meaningful.

If you have questions or need additional support, please reach out to your CrowdStrike team.

George Kurtz
CrowdStrike Founder and CEO

The outage was caused by a defect found in a Falcon content update for Windows hosts. Mac and Linux hosts are not impacted. This was not a cyberattack.

We are working closely with impacted customers and partners to ensure that all systems are restored, so you can deliver the services your customers rely on.

CrowdStrike is operating normally, and this issue does not affect our Falcon platform systems. There is no impact to any protection if the Falcon sensor is installed. Falcon Complete and Falcon OverWatch services are not disrupted.

We will provide continuous updates through our Support Portal.

We have mobilized all of CrowdStrike to help you and your teams. If you have questions or need additional support, please reach out to your CrowdStrike representative or Technical Support.

We know that adversaries and bad actors will try to exploit events like this. I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives. Our blog and technical support will continue to be the official channels for the latest updates.

Nothing is more important to me than the trust and confidence that our customers and partners have put into CrowdStrike. As we resolve this incident, you have my commitment to provide full transparency on how this occurred and steps we’re taking to prevent anything like this from happening again.

George Kurtz
CrowdStrike Founder and CEO

Q: Has this issue been fixed?

Channel File 291 was identified and fixed 78 minutes after it was released, at 1:27 a.m. EDT on July 19. A logic error in our Content Validator (software that performs control checks on content before deployment) has also been fixed, and we are implementing additional enhancements that are explained in the RCA by August 19, 2024.

Each customer environment is unique, with varying degrees of complexity and architectural constraints that can significantly impact remediation timelines. We can confirm that almost all systems have restored operations and are back online. We remain ready to support any customer that continues to experience operational issues.

Q: How does Rapid Response Content make customers more secure?

Our proven security model is built on the reality that stopping evolving cyber threats requires: (i) effective threat intelligence and real-time information about IT infrastructures that are augmented by the experiences of tens of thousands of enterprises; and (ii) speed of threat identification and response that is commensurate with the radically accelerated advanced attacks coming from adversaries.

Rapid Response Content is separate and distinct from CrowdStrike’s on-sensor AI prevention and detection capabilities, but it is an important part of the dynamic protection mechanisms of the CrowdStrike Falcon® platform. It fine-tunes and enhances the sensor’s ability to observe specific behaviors at operational speed — without requiring changes to the sensor code. Rapid Response Content is configuration data; it is not code or a kernel driver.

The Falcon platform — which relies on a unique combination of AI, machine learning and real-time rapid response intelligence — protects customer systems by identifying and remediating the latest advanced threats. That means our customers get the highest level of protection against increasingly sophisticated bad actors. In doing so, we take a comprehensive approach that prioritizes both rigorous testing and rapid response to emerging threats.

Q: What is CrowdStrike doing to help ensure this doesn’t happen in the future?

While this scenario with Channel File 291 is now incapable of recurring, it informs the process improvements and mitigation steps that CrowdStrike is deploying to help ensure further enhanced resilience.

Based on the findings in the RCA, here are some of the actions CrowdStrike has taken and will take moving forward:

• Update Content Configuration System test procedures. This work has been completed. This includes upgraded tests for Template Type development, with automated tests for all existing Template Types. Template Types are part of the sensor and contain predefined fields for threat detection engineers to leverage in Rapid Response Content.

• Add additional deployment layers and acceptance checks for the Content Configuration System. This work has been completed with an updated deployment ring process, ensuring Template Instances pass successive deployment rings before rollout into production.
• Provide customers additional control over the deployment of Rapid Response Content updates. New capabilities have been implemented and deployed to our cloud that allow customers to control how Rapid Response Content is deployed, with additional functionality planned for the future. 
• Prevent the creation of problematic Channel 291 files. Validation for the number of input fields has been implemented to prevent this issue from happening.

• Implement additional checks in the Content Validator. Additional checks are planned for release into production by August 19, 2024.

• Enhance bounds checking in the Content Interpreter for Rapid Response Content in Channel File 291. Bounds checking was added on July 25, 2024, with general availability expected August 9, 2024. These fixes are being backported to all Windows sensor versions 7.11 and above through a sensor software hotfix release.

• Engage two independent third-party software security vendors to conduct further review of the Falcon sensor code and end-to-end quality control and release processes. This work has begun and will be ongoing as part of our focus on security and resilience by design.

For additional detail on the actions CrowdStrike has taken and will take moving forward to help ensure this doesn’t happen in the future, please refer to the RCA.

Q: How did CrowdStrike engage with customers and partners to minimize impact?

CrowdStrike began working with customers and partners to bring systems online as quickly as possible, initially through manual remediation. These efforts enabled the systems to come back online within hours following the initial incident.

On July 22, 2024, CrowdStrike introduced automated techniques to accelerate remediation.

To further help customers bring systems online as quickly as possible, CrowdStrike deployed personnel and engaged with strategic partner services teams to assist customers with recovery efforts. We also worked to provide continuous and transparent updates to customers throughout our response. As of July 29, 2024, at 8:00 p.m. EDT, ~99% of Windows sensors were online, compared to before the content update. We typically see a variance of ~1% week-over-week in sensor connections.

Q: How should customers think about the company’s financial strength?

CrowdStrike has always managed the business with financial discipline, and this is showcased by our financial strength.

As of April 30, 2024, the end of our first quarter fiscal year 2025, we had cash and cash equivalents of $3.7 billion. The company also has a $750 million revolving credit facility.

By delivering value through our industry-leading platform and building resiliency, we create strong and enduring relationships with our customers. For the trailing 12 months ending April 30, 2024, CrowdStrike generated over $1 billion in cash flow, which we believe will enable us to continue investing in the business and cover potential legal liabilities. In addition, we maintain insurance policies that are intended to mitigate the potential impact of certain claims.

Our standard terms and conditions related to customer contracts, including limitations of liability, are laid out on our website (https://www.crowdstrike.com/terms-conditions/).

Q: Does CrowdStrike Falcon have kernel access to the Windows operating system? Is this standard for the industry, and will it continue?

Yes. CrowdStrike Falcon, like other cybersecurity products, runs parts of its logic in the kernel of the Windows operating system. Presence in the kernel offers rich visibility into system-wide security-relevant activities, such as process and thread creation or files being written, deleted and modified on disk. This access provides maximum protection against cyber threats.

CrowdStrike certifies each new sensor release, including the latest versions of all channel files at the time of certification, through Microsoft’s Windows Hardware Quality Labs (WHQL) program. This includes extensive testing through Microsoft’s Windows Hardware Lab Kit (Windows HLK).

The WHQL certification process marks the end of a comprehensive internal testing gauntlet involving functional tests, longevity tests, stress tests with fault injection, fuzzing and performance tests. During the testing required for the WHQL program, the sensors use the latest versions of channel files at the time of certification. Recent reports that any kernel-related processes were bypassed are false. For more information, please see the RCA.

We are unaware of any plans for Microsoft to remove kernel access from CrowdStrike or any other cybersecurity company.

Q: Did null bytes in Channel File 291 cause the incident?

No. For additional information, please read the following: Tech Analysis: Channel File May Contain Null Bytes.

These updates are a regular part of the dynamic protection mechanisms of the Falcon platform. The problematic Rapid Response Content configuration update resulted in a Windows system crash.

Systems in scope include Windows hosts running sensor version 7.11 and above that were online between Friday, July 19, 2024 04:09 UTC and Friday, July 19, 2024 05:27 UTC and received the update. Mac and Linux hosts were not impacted.

The defect in the content update was reverted on Friday, July 19, 2024 at 05:27 UTC. Systems coming online after this time, or that did not connect during the window, were not impacted.

What Went Wrong and Why?

CrowdStrike delivers security content configuration updates to our sensors in two ways: Sensor Content that is shipped with our sensor directly, and Rapid Response Content that is designed to respond to the changing threat landscape at operational speed.

The issue on Friday involved a Rapid Response Content update with an undetected error.

Sensor Content
Sensor Content provides a wide range of capabilities to assist in adversary response. It is always part of a sensor release and not dynamically updated from the cloud. Sensor Content includes on-sensor AI and machine learning models, and comprises code written expressly to deliver longer-term, reusable capabilities for CrowdStrike’s threat detection engineers.

These capabilities include Template Types, which have pre-defined fields for threat detection engineers to leverage in Rapid Response Content. Template Types are expressed in code. All Sensor Content, including Template Types, go through an extensive QA process, which includes automated testing, manual testing, validation and rollout steps.

The sensor release process begins with automated testing, both prior to and after merging into our code base. This includes unit testing, integration testing, performance testing and stress testing. This culminates in a staged sensor rollout process that starts with dogfooding internally at CrowdStrike, followed by early adopters. It is then made generally available to customers. Customers then have the option of selecting which parts of their fleet should install the latest sensor release (‘N’), or one version older (‘N-1’) or two versions older (‘N-2’) through Sensor Update Policies.

The event of Friday, July 19, 2024 was not triggered by Sensor Content, which is only delivered with the release of an updated Falcon sensor. Customers have complete control over the deployment of the sensor — which includes Sensor Content and Template Types.

Rapid Response Content
Rapid Response Content is used to perform a variety of behavioral pattern-matching operations on the sensor using a highly optimized engine. Rapid Response Content is a representation of fields and values, with associated filtering. This Rapid Response Content is stored in a proprietary binary file that contains configuration data. It is not code or a kernel driver.

Rapid Response Content is delivered as “Template Instances,” which are instantiations of a given Template Type. Each Template Instance maps to specific behaviors for the sensor to observe, detect or prevent. Template Instances have a set of fields that can be configured to match the desired behavior.

In other words, Template Types represent a sensor capability that enables new telemetry and detection, and their runtime behavior is configured dynamically by the Template Instance (i.e., Rapid Response Content).

Rapid Response Content provides visibility and detections on the sensor without requiring sensor code changes. This capability is used by threat detection engineers to gather telemetry, identify indicators of adversary behavior and perform detections and preventions. Rapid Response Content is behavioral heuristics, separate and distinct from CrowdStrike’s on-sensor AI prevention and detection capabilities.

Rapid Response Content Testing and Deployment
Rapid Response Content is delivered as content configuration updates to the Falcon sensor. There are three primary systems: the Content Configuration System, the Content Interpreter and the Sensor Detection Engine.

The Content Configuration System is part of the Falcon platform in the cloud, while the Content Interpreter and Sensor Detection Engine are components of the Falcon sensor. The Content Configuration System is used to create Template Instances, which are validated and deployed to the sensor through a mechanism called Channel Files. The sensor stores and updates its content configuration data through Channel Files, which are written to disk on the host.

The Content Interpreter on the sensor reads the Channel File and interprets the Rapid Response Content, enabling the Sensor Detection Engine to observe, detect or prevent malicious activity, depending on the customer’s policy configuration. The Content Interpreter is designed to gracefully handle exceptions from potentially problematic content.

Newly released Template Types are stress tested across many aspects, such as resource utilization, system performance impact and event volume. For each Template Type, a specific Template Instance is used to stress test the Template Type by matching against any possible value of the associated data fields to identify adverse system interactions.

Template Instances are created and configured through the use of the Content Configuration System, which includes the Content Validator that performs validation checks on the content before it is published.

Timeline of Events: Testing and Rollout of the InterProcessCommunication (IPC) Template Type
Sensor Content Release: On February 28, 2024, sensor 7.11 was made generally available to customers, introducing a new IPC Template Type to detect novel attack techniques that abuse Named Pipes. This release followed all Sensor Content testing procedures outlined above in the Sensor Content section.

Template Type Stress Testing: On March 05, 2024, a stress test of the IPC Template Type was executed in our staging environment, which consists of a variety of operating systems and workloads. The IPC Template Type passed the stress test and was validated for use.

Template Instance Release via Channel File 291: On March 05, 2024, following the successful stress test, an IPC Template Instance was released to production as part of a content configuration update. Subsequently, three additional IPC Template Instances were deployed between April 8, 2024 and April 24, 2024. These Template Instances performed as expected in production.

What Happened on July 19, 2024?
On July 19, 2024, two additional IPC Template Instances were deployed. Due to a bug in the Content Validator, one of the two Template Instances passed validation despite containing problematic content data.

Based on the testing performed before the initial deployment of the Template Type (on March 05, 2024), trust in the checks performed in the Content Validator, and previous successful IPC Template Instance deployments, these instances were deployed into production.

When received by the sensor and loaded into the Content Interpreter, problematic content in Channel File 291 resulted in an out-of-bounds memory read triggering an exception. This unexpected exception could not be gracefully handled, resulting in a Windows operating system crash (BSOD).

How Do We Prevent This From Happening Again?

Software Resiliency and Testing

• Improve Rapid Response Content testing by using testing types such as:
  • Local developer testing
  • Content update and rollback testing
  • Stress testing, fuzzing and fault injection
  • Stability testing
  • Content interface testing
• Add additional validation checks to the Content Validator for Rapid Response Content. A new check is in process to guard against this type of problematic content from being deployed in the future.
• Enhance existing error handling in the Content Interpreter.

 

Rapid Response Content Deployment

• Implement a staggered deployment strategy for Rapid Response Content in which updates are gradually deployed to larger portions of the sensor base, starting with a canary deployment.
• Improve monitoring for both sensor and system performance, collecting feedback during Rapid Response Content deployment to guide a phased rollout.
• Provide customers with greater control over the delivery of Rapid Response Content updates by allowing granular selection of when and where these updates are deployed.
• Provide content update details via release notes, which customers can subscribe to.

 

Updated 2024-07-24 2217 UTC

Third Party Validation

• Conduct multiple independent third-party security code reviews.
• Conduct independent reviews of end-to-end quality processes from development through deployment.

In addition to this preliminary Post Incident Review, CrowdStrike is committed to publicly releasing the full Root Cause Analysis once the investigation is complete.