Monday, September 25, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

Bug in CrowdStrike Falcon Allows Removal of Security Agent

Researcher by Researcher
August 23, 2022
in Cybersecurity
0
Researchers Warn of RCE Bug in Spring Framework
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


Researchers have identified a vulnerability in CrowdStrike’s Falcon cloud-based endpoint protection system that enables a privileged user to bypass an important feature and uninstall the Falcon agent from any machine.

The bug affects at least two versions of the Falcon agent, versions 6.31.14505.0 and 6.42.15610, and an attacker who can successfully exploit it would be able to remove the Falcon anti-malware and EDR agent from a target computer. In order to exploit the flaw, however, an attacker would first need to have administrator privileges on the machine, which is a significant hurdle, but not an impossible one to clear. There is a thriving underground market for valid user and admin credentials and cybercrime groups and ransomware gangs often purchase access to corporate networks from initial access brokers who steal or buy credentials.

“The sensor can be configured with a uninstall protection. It prevents the uninstallation of CrowdStrike Falcon sensor on the end-device without a one-time generated token,” the advisory from researchers at modzero says.

“Exploiting this vulnerability allows an attacker with administrative privileges to bypass the token check on Windows end-devices and to uninstall the sensor from the device without proper authorization, effectively removing the device’s EDR and AV protection.”

Researchers at modzero, a Swiss research and services group, discovered the vulnerability and notified CrowdStrike in June. CrowdStrike asked the researchers to report it through the company’s HackerOne bug bounty program and sign a non-disclosure agreement. The researchers declined both requirements, and after several months of back-and-forth discussions in which CrowdStrike told the researchers that the issue was not considered a valid security concern, modzero published the details of the flaw and a proof-of-concept exploit for it on Monday. The researchers initially tested one specific version of Falcon, but later in the process were able to get access to a newer version and found that the initial exploit they sent to CrowdStrike was flagged as malicious behavior and other countermeasures to the exploit had been included.

“As the issue was not considered valid, we informed CrowdStrike that we would release the advisory to the public. In response, CrowdStrike tried again to set up a bug bounty disclosure meeting between ‘modzero’s Sr Leadership’ and CrowdStrike CISO “[…] to discuss next steps related to the bug bounty disclosure” in contrast to our previously stated disclosure rules,” a blog post by modzero says.

“Sometime later, we were able to acquire an updated version of the sensor and discovered that parts of the formerly provided exploit code and a specific msiexec call, are now flagged as malicious behaviour by the sensor. This leads us to conclude that CrowdStrike tried to “fix” the issue, while being told the issue didn’t exist. Which is pretty disrespectful to us. We were able to circumvent the countermeasures introduced silently by CrowdStrike. With small changes to the exploit, it is now working again (tested with version 6.42.15610 of the CrowdStrike Falcon software).”

CrowdStrike did not respond to a request for comment for this story, but posted an explanation on Reddit Monday.

“During an uninstallation of Falcon, several instances of msiexec.exe run in parallel performing various tasks. One of these tasks uses a custom action (CA) to verify the presence of a valid uninstall token for Falcon. Under normal conditions, if that verification fails or can’t be completed, the MSI logic stops the uninstallation process and notifies the user that a valid uninstall token is required,” the post says.

“As disclosed by modzero, a local administrator can circumvent this within Microsoft’s MSI implementation, wherein msiexec.exe will continue an uninstall process if a CA terminates without returning (such as when that process crashes or is intentionally killed). In essence, the MSI is failing open (unexpected) as opposed to failing closed (expected). Because of the timing and privilege required to execute the bypass, this method requires specialized software, local administrator access, privilege elevation, and a reboot of the endpoint.”

CrowdStrike said it disclosed the issue to customers on July 8 and filed a bug report with MIcrosoft about the errant MSI behavior.



Source link

Related articles

Sentra Raises $30 Million for DSPM Technology

Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach

August 13, 2023
Minimizing Risk Through Proactive Apple Device Management: Addigy

Minimizing Risk Through Proactive Apple Device Management: Addigy

August 12, 2023
Tags: agentbugCrowdstrikeFalconremovalsecurity
Share76Tweet47

Related Posts

Sentra Raises $30 Million for DSPM Technology

Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach

August 13, 2023
0

Northern Ireland’s top police officer apologized Thursday for what he described as an “industrial scale” data breach in which the...

Minimizing Risk Through Proactive Apple Device Management: Addigy

Minimizing Risk Through Proactive Apple Device Management: Addigy

August 12, 2023
0

Enterprise IT teams are struggling to cope with three major forces of change: the evolving regulatory environment, a globally dispersed...

Decipher Podcast: Katelyn Bowden and TC Johnson

Decipher Podcast: Katelyn Bowden and TC Johnson

August 12, 2023
0

Veilid main site: https://veilid.com/ Cult of the Dead Cow site: https://cultdeadcow.com/ Source link

In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack 

In Other News: macOS Security Reports, Keyboard Spying, VPN Vulnerabilities

August 12, 2023
0

SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under...

Used Correctly, Generative AI is a Boon for Cybersecurity

Used Correctly, Generative AI is a Boon for Cybersecurity

August 12, 2023
0

Adobe stock, by Busra At the Black Hat kickoff keynote on Wednesday, Jeff Moss (AKA Dark Tangent), the founder of...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
Microsoft to Block Macros by Default in Office Apps

Qakbot Email Thread Hijacking Attacks Drop Multiple Payloads

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
‘Horse Gone Barn Bolted’ is Strong Password – Krebs on Security

‘Horse Gone Barn Bolted’ is Strong Password – Krebs on Security

September 23, 2023
SumUp Launches 7am Payouts; Offering UK Merchants Optimal Financial Flexibility

SumUp Launches 7am Payouts; Offering UK Merchants Optimal Financial Flexibility

September 23, 2023
Stealth Falcon preying over Middle Eastern skies with Deadglyph

Stealth Falcon preying over Middle Eastern skies with Deadglyph

September 23, 2023
Will you give X your biometric data? – Week in security with Tony Anscombe

ESET’s cutting-edge threat research at LABScon – Week in security with Tony Anscombe

September 23, 2023

Recent Posts

‘Horse Gone Barn Bolted’ is Strong Password – Krebs on Security

‘Horse Gone Barn Bolted’ is Strong Password – Krebs on Security

September 23, 2023
SumUp Launches 7am Payouts; Offering UK Merchants Optimal Financial Flexibility

SumUp Launches 7am Payouts; Offering UK Merchants Optimal Financial Flexibility

September 23, 2023
Stealth Falcon preying over Middle Eastern skies with Deadglyph

Stealth Falcon preying over Middle Eastern skies with Deadglyph

September 23, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • LetsAskBinuBlogs
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cyber Cybersecurity Data Digital exploited financial Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches platform Ransomware RoundUp security Software Stories TFT Threat Top vulnerabilities vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved