Researchers have identified a vulnerability in CrowdStrike’s Falcon cloud-based endpoint protection system that enables a privileged user to bypass an important feature and uninstall the Falcon agent from any machine.
The bug affects at least two versions of the Falcon agent, versions 6.31.14505.0 and 6.42.15610, and an attacker who can successfully exploit it would be able to remove the Falcon anti-malware and EDR agent from a target computer. In order to exploit the flaw, however, an attacker would first need to have administrator privileges on the machine, which is a significant hurdle, but not an impossible one to clear. There is a thriving underground market for valid user and admin credentials and cybercrime groups and ransomware gangs often purchase access to corporate networks from initial access brokers who steal or buy credentials.
“The sensor can be configured with a uninstall protection. It prevents the uninstallation of CrowdStrike Falcon sensor on the end-device without a one-time generated token,” the advisory from researchers at modzero says.
“Exploiting this vulnerability allows an attacker with administrative privileges to bypass the token check on Windows end-devices and to uninstall the sensor from the device without proper authorization, effectively removing the device’s EDR and AV protection.”
Researchers at modzero, a Swiss research and services group, discovered the vulnerability and notified CrowdStrike in June. CrowdStrike asked the researchers to report it through the company’s HackerOne bug bounty program and sign a non-disclosure agreement. The researchers declined both requirements, and after several months of back-and-forth discussions in which CrowdStrike told the researchers that the issue was not considered a valid security concern, modzero published the details of the flaw and a proof-of-concept exploit for it on Monday. The researchers initially tested one specific version of Falcon, but later in the process were able to get access to a newer version and found that the initial exploit they sent to CrowdStrike was flagged as malicious behavior and other countermeasures to the exploit had been included.
“As the issue was not considered valid, we informed CrowdStrike that we would release the advisory to the public. In response, CrowdStrike tried again to set up a bug bounty disclosure meeting between ‘modzero’s Sr Leadership’ and CrowdStrike CISO “[…] to discuss next steps related to the bug bounty disclosure” in contrast to our previously stated disclosure rules,” a blog post by modzero says.
“Sometime later, we were able to acquire an updated version of the sensor and discovered that parts of the formerly provided exploit code and a specific msiexec call, are now flagged as malicious behaviour by the sensor. This leads us to conclude that CrowdStrike tried to “fix” the issue, while being told the issue didn’t exist. Which is pretty disrespectful to us. We were able to circumvent the countermeasures introduced silently by CrowdStrike. With small changes to the exploit, it is now working again (tested with version 6.42.15610 of the CrowdStrike Falcon software).”
CrowdStrike did not respond to a request for comment for this story, but posted an explanation on Reddit Monday.
“During an uninstallation of Falcon, several instances of msiexec.exe run in parallel performing various tasks. One of these tasks uses a custom action (CA) to verify the presence of a valid uninstall token for Falcon. Under normal conditions, if that verification fails or can’t be completed, the MSI logic stops the uninstallation process and notifies the user that a valid uninstall token is required,” the post says.
“As disclosed by modzero, a local administrator can circumvent this within Microsoft’s MSI implementation, wherein msiexec.exe will continue an uninstall process if a CA terminates without returning (such as when that process crashes or is intentionally killed). In essence, the MSI is failing open (unexpected) as opposed to failing closed (expected). Because of the timing and privilege required to execute the bypass, this method requires specialized software, local administrator access, privilege elevation, and a reboot of the endpoint.”
CrowdStrike said it disclosed the issue to customers on July 8 and filed a bug report with MIcrosoft about the errant MSI behavior.