Issue 24: Major Tech Updates Spark Crashes and Vulnerabilities: CrowdStrike, Microsoft, and Docker Affected

Top Stories 26 July 2024:

1. CrowdStrike: 'Content Validator' Bug Let Faulty Update Pass Checks
2. Windows July Security Updates Send PCs into BitLocker Recovery
3. Critical Docker Engine Flaw Allows Attackers to Bypass Authorisation Plugins

CrowdStrike: 'Content Validator' Bug Let Faulty Update Pass Checks

CrowdStrike released a Preliminary Post Incident Review (PIR) on the faulty Falcon update, which caused millions of Windows systems to crash on July 19, 2024.

The crash resulted from a bug allowing bad data to pass the Content Validator and affect systems running Falcon version 7.11 and later.

The update aimed to gather telemetry on new threat techniques but did not undergo additional verification due to trust in previous successful deployments. This error led to approximately 8.5 million Windows systems experiencing out-of-bounds memory reads and crashes.

CrowdStrike uses IPC Template Types in its Rapid Response Content updates to detect suspicious behaviour. These templates, similar to antivirus definition updates, adjust the Falcon sensor's detection capabilities. The faulty update aimed to detect malicious Named Pipe abuse in common Command and Control (C2) frameworks, possibly including Cobalt Strike.

The issue arose because the faulty configuration passed the Content Validator due to a bug, bypassing further testing. CrowdStrike's automated stress testing, which includes resource utilisation and performance impact assessments, did not catch the problem.

To prevent future incidents, CrowdStrike plans to implement:

1.????? Local developer testing

2.???? Content update and rollback testing

3.???? Stress testing, fuzzing, and fault injection

4.???? Stability and content interface testing

5.???? Additional validation checks and improved error handling

Deployment changes will include staggered deployments, enhanced performance monitoring, customer control over update delivery, and detailed release notes. A more detailed root cause analysis will be published following the internal investigation.

?

TLDR;

• A faulty Falcon update by CrowdStrike caused 8.5 million Windows systems to crash on July 19, 2024, due to a bug in the Content Validator.
• The update, intended for telemetry, bypassed verification, causing crashes.
• CrowdStrike will improve testing, deploy updates gradually, and enhance error handling to prevent future issues.

Windows July Security Updates Send PCs Into BitLocker Recovery

Microsoft has warned that some Windows devices will boot into BitLocker recovery mode after installing the July 2024 security updates (KB5040442), released on July 9, 2024. BitLocker, a security feature that encrypts storage drives to protect against data theft, can prompt a recovery mode entry due to hardware or firmware changes, among other triggers.

Affected users will see a BitLocker recovery screen and need to enter their recovery key to unlock the drive and boot the device normally. This issue is more likely to occur if the Device Encryption option is enabled in Settings under Privacy & Security.

The affected platforms include:

1. Client: Windows 11 versions 23H2, 22H2, and 21H2, Windows 10 versions 22H2 and 21H2.
2. Server: Windows Server 2022, 2019, 2016, 2012 R2, 2012, 2008 R2, and 2008.

The BitLocker recovery key can be retrieved through the BitLocker recovery screen portal using a Microsoft account. Further information on locating the recovery key is available on the support page.

Microsoft is investigating the issue and will provide updates as more information becomes available. This is not the first occurrence; a similar issue arose in August 2022 after the KB5012170 security update, and another related bug was addressed in April 2024.

For more information, users can refer to the Windows release health dashboard and the support page for finding the recovery key.

?TLDR;

• Microsoft warned that the July 2024 security update (KB5040442) might cause devices to enter BitLocker recovery mode.
• Users must enter their recovery key to unlock the drive; this mainly affects devices with Device Encryption enabled.
• Impacted platforms include Windows 11, Windows 10, and various Windows Server versions. Microsoft is investigating.

Critical Docker Engine Flaw Allows Attackers to Bypass Authorisation Plugins

Docker has issued a warning about a critical vulnerability in certain versions of Docker Engine, tracked as CVE-2024-41110, which has a CVSS score of 10.0, indicating its severity. This flaw allows an attacker to bypass authorisation plugins (AuthZ) under specific conditions, potentially leading to privilege escalation.

The vulnerability occurs when an API request with Content-Length set to 0 is forwarded by the Docker daemon to the AuthZ plugin without the body, causing the plugin to incorrectly approve the request. This issue, a regression from an earlier bug fixed in Docker Engine v18.09.1 in January 2019, was not carried over to subsequent versions (19.03 and later).

The vulnerability affects the following Docker Engine versions if AuthZ plugins are used for access control decisions:

<= v19.03.15, <= v20.10.27, <= v23.0.14, <= v24.0.9, <= v25.0.5, <= v26.0.2, <= v26.1.4,

<= v27.0.3 and <= v27.1.0

The issue was fixed in versions 23.0.14 and 27.1.0 as of July 23, 2024. Users who do not rely on AuthZ plugins or use Mirantis Container Runtime are not affected. Docker Desktop versions up to 4.32.0 are also impacted, though exploitation is less likely and requires local access to the Docker API. A fix for Docker Desktop is expected in version 4.33.

Docker urges users to update to the latest versions to mitigate this threat. Although there is no evidence of CVE-2024-41110 being exploited in the wild, quick application of the updates is recommended to prevent potential attacks.

?

TLDR;

• Docker warned of a critical vulnerability (CVE-2024-41110) in certain Docker Engine versions, allowing privilege escalation by bypassing authorisation plugins.
• The flaw, fixed in versions 23.0.14 and 27.1.0, affects versions up to 27.1.0 when using AuthZ plugins.
• Users are urged to update to the latest versions; Docker Desktop fix expected in version 4.33.

That's all folks!

Thank you for reading Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Dafydd Davies (SOC Automation Engineer).

If you like what you've read, subscribe so you don't miss next week's roundup!