Security Advisories
CVE-2022-2841 - Falcon Sensor for Windows Uninstall with Elevated Privileges
SUMMARY:
A vulnerability was found in CrowdStrike Falcon 6.31.14505.0/6.42.15610/6.44.15806. Affected is an unknown function of the component Uninstallation Handler. The manipulation leads to missing authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 6.40.15409, 6.42.15611 and 6.44.15807 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-206880.
Timeline
- On June 29, 2022, CrowdStrike was contacted by security firm modzero concerning a security issue with the Falcon uninstall process and provided technical details and proof of concept code.
- On July 8, 2022, CrowdStrike disclosed this issue to its customers via a tech alert. The security firm modzero was credited with the disclosure and discovery of the issue.
- On August 12, 2022, after additional research and documentation, CrowdStrike submitted a bug report to Microsoft detailing the issue with Microsoft Installer (MSI) custom actions.
- On August 22, 2022, modzero published a blog post that included their proof of concept code and submitted a CVE entry citing that blog post (at time of writing, this CVE is still under analysis).
Technical Details
Falcon is installed and uninstalled on Windows systems using the Microsoft Installer (MSI) harness. To perform secondary actions during an installation or uninstallation — such as performing system checks or, in this instance, verifying an uninstall token — Microsoft recommends using Custom Actions (CA) via msiexec.exe.
During an uninstallation of Falcon, several instances of msiexec.exe run in parallel performing various tasks. One of these tasks uses a custom action (CA) to verify the presence of a valid uninstall token for Falcon. Under normal conditions, if that verification fails or can’t be completed, the MSI logic stops the uninstallation process and notifies the user that a valid uninstall token is required.
As disclosed by modzero, a local administrator can circumvent this within Microsoft’s MSI implementation, wherein msiexec.exe will continue an uninstall process if a CA terminates without returning (such as when that process crashes or is intentionally killed). In essence, the MSI is failing open (unexpected) as opposed to failing closed (expected). Because of the timing and privilege required to execute the bypass, this method requires specialized software, local administrator access, privilege elevation, and a reboot of the endpoint.
On August 12, 2022, CrowdStrike submitted a bug report to Microsoft with technical details around the MSI behavior. Of note: the Windows installer download from the Falcon portal is a Portable Executable (EXE), however, it serves as a wrapper for three separate MSI files — 32-bit, 64-bit, and ARM — to prevent customers from having to wrestle with three MSIs based on system bitness (and EXEs can accept custom switches, which MSIs can not do).
Hunting and Additional Detection Options
CrowdStrike added detection and prevention logic to try and expose uninstallation attempts that use this and similar techniques. The detection is in-line for all customers. Ensuring “Suspicious Process” blocking is enabled in your Falcon prevention policies will turn on blocking. CrowdStrike published a hunting query in the original Tech Alert on July 8, 2022.
That query is:
event_platform=win event_simpleName=ProcessRollup2 ParentBaseFileName=cmd.exe FileName=msiexec.exe | regex CommandLine=".+\\\Package\s+Cache\\\{[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]v\d+\.\d+\.\d+\.\d+\\\(CsAgent.*|CsDeviceControl|CsFirmwareAnalysis)\.msi\"\s+REMOVE\=ALL" | lookup local=true aid_master aid OUTPUT AgentVersion, Version | eval ProcExplorer=case(TargetProcessId_decimal!="","https://falcon.crowdstrike.com/investigate/process-explorer/" .aid. "/" . TargetProcessId_decimal) | table ProcessStartTime_decimal aid LocalAddressIP4 ComputerName aip Version AgentVersion UserName ParentBaseFileName FileName CommandLine ProcExplorer | convert ctime(ProcessStartTime_decimal) | rename ProcessStartTime_decimal as systemClockUTC, aid as agentID, LocalAddressIP4 as localIP, aip as externalIP, Version as osVersion, AgentVersion as agentVersion, UserName as userName, ParentBaseFileName as parentFile, FileName as fileName, CommandLine as cmdLine, ProcExplorer as processExplorerLink
Customers can also leverage Custom IOAs to create additional signals to look for unexpected uninstallation of the Falcon sensor. Example syntax:
Platform: Windows Custom IOA Type: Process Creation
Grandparent ImageFileName: .*\.exe Grandparent CommandLine: .*\.msi.*
Parent ImageFileName: .*\\cmd\.exe Parent CommandLine: .*\\(CsAgent.*|CsDeviceControl|CsFirmwareAnalysis)\.msi\"\s+remove\=all
ImageFileName: .*\\msiexec\.exe CommandLine: .*\\(CsAgent.*|CsDeviceControl|CsFirmwareAnalysis)\.msi\"\s+remove\=all
RESOLUTION
Hotfix release version 6.46.16010 is an update for the previously released sensor version 6.46.16008 For information about changes in sensor version 6.46.16008, see 6.46.16008. Hotfix release versions 6.45.15908, 6.44.15807, 6.42.15611, and 6.40.15409 are updates for the previously released sensor versions 6.45.15907, 6.44.15806, 6.44.15803, 6.42.15610, 6.42.15609, and 6.40.15406. Upgrade hosts to a patched version of Falcon sensor for Windows:
- 6.46.16010 Hotfix
- 6.45.15908 Hotfix
- 6.44.15807 Hotfix
- 6.42.15611 Hotfix
- 6.40.15409 Hotfix
Additional Questions
If you have additional questions, please reach out to your Technical Account Manager, Sales Engineer, Account Manager, or CrowdStrike Support.
