Following what it referred to as a “ridiculous vulnerability disclosure process,” a security company has revealed the specifics of a problem with a CrowdStrike product. Following the disclosure, CrowdStrike clarified a few things.
A flaw with CrowdStrike’s Falcon endpoint detection and response tool was uncovered by researchers at the Swiss security firm Modzero. In particular, the Falcon Sensor, a lightweight agent installed on each end device, is the issue. The sensor can be configured with uninstall protection, which prevents its removal without a special token. Modzero discovered that an attacker with admin privileges can bypass the token check on Windows devices and uninstall the sensor in an effort to remove the protection provided by CrowdStrike’s product.
Due to the elevated privileges needed for exploitation, the company acknowledged that “the overall risk of the vulnerability is relatively limited,” but it nevertheless decided to complain about the disclosure process in a blog post in addition to a technical advisory explaining the problem. The disclosure process was difficult for Modzero because it did not wish to submit its findings through CrowdStrike’s HackerOne bug reward program.
Early in June, Modzero began requesting information from CrowdStrike regarding a different method of reporting its results that did not entail working with HackerOne or agreeing to a non-disclosure agreement.
In the end, Modzero emailed its findings to CrowdStrike in late June, but at first, the company was unable to duplicate the problem and later stated that it did not seem to be a legitimate vulnerability.
The vendor had actually taken some precautions to prevent exploitation, including by identifying Modzero’s proof-of-concept (POC) vulnerability as malicious, which Modzero discovered when it later tested its findings on a more recent version of CrowdStrike Falcon. Bypassing CrowdStrike’s defences, according to Modzero, allowed it to decide to publish its results.
After Modzero’s technical advisory and blog post were published on Monday, CrowdStrike responded on Reddit with clarifications regarding the vulnerability but did not address the problems with the disclosure process itself. However, it did thank Modzero for its “hard work and disclosure of this incident.”
The endpoint security company states that “specialist software, local administrator access, privilege elevation, and a reboot of the endpoint” are all necessary for exploitation.
CrowdStrike informed Microsoft of a flaw on August 12 and claimed that the issue is associated with the Microsoft installer. The CVE identifier for the vulnerability is CVE-2022-2841, but CrowdStrike stated that the CVE is still undergoing analysis.
UPDATE
Statement from CrowdStrike spokesperson Kevin Benacci:
“We want to set the record straight on how this situation transpired. As both parties have stated, we engaged with modzero immediately upon receipt of them reporting the issue on June 29. As modzero has indicated, the issue reported is with Microsoft’s MSI implementation and requires local access and admin privileges. On July 8, less than 10 days of receipt of this initial report, we notified all Falcon customers via a Technical Alert (crediting modzero), and we subsequently reported the MSI bug to Microsoft. We attempted to continue the dialogue with modzero in early July to no avail and did not hear from them over the past 6 plus weeks until yesterday, when they published their blog. In line with industry best practices, we are committed to engaging with the research community in a positive and professional manner that protects customers. Responsible and timely disclosure is an important part of the process of building trust and supporting the security community, which is why CrowdStrike runs an open and transparent bug bounty program with partners such as HackerOne.”
