Saturday, July 20, 2024

19th July 2024 - The CrowdStrike "Software Update" that Y2K wished it was!

On July 19, 2024, a faulty software update from CrowdStrike, a leading cybersecurity firm, caused a widespread outage impacting businesses globally. I'm writing this blog post mostly for posterity. I will dive into the context of the outage, its far-reaching effects, and the current remediation efforts.


 

Context: A Flawed Update Disrupts Operations

The culprit behind the outage was a defective update rolled out for CrowdStrike's Falcon tool, specifically affecting Windows machines. This update triggered critical errors, causing systems to crash and hindering essential operations. It's important to emphasize that CrowdStrike assures this was not a cyberattack.

 

Impact: A Ripple Effect Across Industries

The outage cascaded across various sectors, causing significant disruptions. Here's a glimpse of the widespread impact:

  • Travel: Airlines were heavily affected, with grounded flights due to issues with check-in systems and flight calculations.
 
 

  • Finance: Banks and other financial institutions experienced disruptions, hindering critical services.
  • Healthcare: Hospitals and medical facilities faced challenges, impacting patient care.
  • Businesses: Small and large businesses alike grappled with operational slowdowns and service outages.


Remediation: Restoring Systems and Preventing Recurrence

Official remediation advice from CrowdStrike: https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/

CrowdStrike responded to the crisis. They identified the faulty update, isolated the issue, and deployed a fix. Additionally, they've offered resources and support to impacted customers to ensure a smooth recovery.

I found a Reddit thread that was kept updated by the community on the proposed workarounds and solutions.

 

Conclusion: Learning from the Outage

The CrowdStrike outage serves as a stark reminder of our dependence on cybersecurity solutions and the potential consequences of technical glitches. By prioritising robust testing, open communication, and exceptional customer support, CrowdStrike can rebuild trust and ensure a more resilient future.

 
Looking forward to learning how the defective software update reached millions of devices worldwide. There will be a lot of learnings for all of technologists from this unfortunate incident. Most importantly, since CrowdStrike is a US company, a Congressional Hearing is in order.

Tuesday, July 02, 2024

regreSSion: A High-Severity OpenSSH Vulnerability (CVE-2024-6387)

What is CVE-2024-6387?


CVE-2024-6387, also nicknamed "regreSSion," is a critical vulnerability in OpenSSH's server software (sshd) that allows for remote unauthenticated code execution (RCE) on affected systems. This means an attacker could potentially take complete control of your machine without ever needing valid login credentials.

The vulnerability stems from a signal handler race condition within OpenSSH. When a client fails to authenticate within a specific timeframe, the server triggers a signal handler. Crucially, some functions called during this process are not designed to handle interruptions and can lead to unexpected behavior. In certain glibc-based Linux systems, this can be exploited for RCE.

Who discovered it?

The Qualys Threat Research Unit (TRU) is credited with discovering CVE-2024-6387. Their research indicates this vulnerability has the potential to affect millions of servers.

 

How can I find out if I'm vulnerable?

There are two main ways to check if your system is vulnerable to CVE-2024-6387:

  1. Check your OpenSSH version: Vulnerable systems will be running OpenSSH versions earlier than 4.4p1 or 8.5p1, up to but not including 9.8p1. You can check your version by running the following command in your terminal:
        ssh -V
  1. Consult your Linux distribution's security resources: Most Linux distributions have released advisories regarding CVE-2024-6387. These advisories will detail the specific versions affected and any available patches.

 

Open Source Tools and Patches

The good news is that patches are readily available to address CVE-2024-6387. It's crucial to update your OpenSSH server to a patched version as soon as possible. You can find the update procedure specific to your Linux distribution through their official channels.

Here are some additional resources: