Security Firm Discloses CrowdStrike Issue After ‘Ridiculous Disclosure Process’

Following what it referred to as a “ridiculous vulnerability disclosure process,” a security company has revealed the specifics of a problem with a CrowdStrike product. Following the disclosure, CrowdStrike clarified a few things.

An flaw with CrowdStrike’s Falcon endpoint detection and response tool was uncovered by researchers at the Swiss security firm Modzero. In particular, the Falcon Sensor, a lightweight agent installed on each end device, is the issue. Uninstall protection for the sensor can be configured to prevent removal without a unique token.

An attacker with admin rights was found by Modzero to be able to disable the token check on Windows devices and uninstall the sensor in an effort to disable the security offered by CrowdStrike’s product.

Due to the elevated privileges needed for exploitation, the company acknowledged that “the overall risk of the vulnerability is relatively limited,” but it nevertheless decided to complain about the disclosure process in a blog post in addition to a technical advisory explaining the problem.

The disclosure process was difficult for Modzero because it did not wish to submit its findings through CrowdStrike’s HackerOne bug reward program.

Early in June, Modzero began requesting information from CrowdStrike regarding a different method of reporting its results that did not entail working with HackerOne or agreeing to a non-disclosure agreement.

In the end, Modzero emailed its findings to CrowdStrike in late June, but at first the company was unable to duplicate the problem and later stated that it did not seem to be a legitimate vulnerability.

The vendor had actually taken some precautions to prevent exploitation, including by identifying Modzero’s proof-of-concept (PoC) vulnerability as malicious, which Modzero discovered when it later tested its findings on a more recent version of CrowdStrike Falcon.

“Falcon is installed and uninstalled on Windows systems using the Microsoft Installer (MSI) harness. To perform secondary actions during an installation or uninstallation — such as performing system checks or, in this instance, verifying an uninstall token — Microsoft recommends using Custom Actions (CA) via msiexec.exe.

During an uninstallation of Falcon, several instances of msiexec.exe run in parallel performing various tasks. One of these tasks uses a custom action (CA) to verify the presence of a valid uninstall token for Falcon. Under normal conditions, if that verification fails or can’t be completed, the MSI logic stops the uninstallation process and notifies the user that a valid uninstall token is required.

As disclosed by modzero, a local administrator can circumvent this within Microsoft’s MSI implementation, wherein msiexec.exe will continue an uninstall process if a CA terminates without returning (such as when that process crashes or is intentionally killed). In essence, the MSI is failing open (unexpected) as opposed to failing closed (expected).”