←back to thread

CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes

(www.theregister.com)
158 points kenjackson | 3 comments | 22 Jul 24 02:22 UTC | HN request time: 0.663s | source
Show context
roblabla ◴[22 Jul 24 07:17 UTC] No.41031699[source]
This is some very poor journalism. The linux issues are so, so very different from the windows BSOD issue.

The redhat kernel panics were caused by a bug in the kernel ebpf implementation, likely a regression introduced by a rhel-specific patch. Blaming crowdstrike for this is stupid (just like blaming microsoft for the crowdstrike bsod is stupid).

For background, I also work on a product using eBPFs, and had kernel updates cause kernel panics in my eBPF probes.

In my case, the panic happened because the kernel decided to change an LSM hook interface, adding a new argument in front of the others. When the probe gets loaded, the kernel doesn’t typecheck the arguments, and so doesn’t realise the probe isn’t compatible with the new kernel. When the probe runs, shit happens and you end up with a kernel panic.

eBPF probes causing kernel panics are almost always indication of a kernel bug, not a bug in the ebpf vendor. There are exceptions of course (such as an ebpf denying access to a resource causing pid1 to crash). But they’re very few.

replies(4): >>41031896 #>>41032164 #>>41032610 #>>41034621 #
mbesto ◴[22 Jul 24 08:51 UTC] No.41032164[source]
> just like blaming microsoft for the crowdstrike bsod is stupid

Wait, how is this stupid? Unless I'm missing something, wasn't the patch part of a Microsoft payload that included an update to Crowdstrike? Surely Crowdstrike is culpable, but that doesn't completely absolve Microsoft of any responsibility, as its their payload.

replies(7): >>41032197 #>>41032249 #>>41032287 #>>41032415 #>>41032517 #>>41032630 #>>41032666 #
roblabla ◴[22 Jul 24 08:57 UTC] No.41032197[source]
Do you have a source for this? It's the first time I hear of this. From what I've understood (perhaps wrongly), the error came from the CrowdStrike driver (csagent.sys) having bugs in their configuration parser that could cause it to BSOD. CrowdStrike pushed a corrupted configuration (the CS-000whatever.sys we're told to delete) that hit that bug. I'm not sure how Microsoft fits in this story.
replies(1): >>41032313 #
1. mbesto ◴[22 Jul 24 09:14 UTC] No.41032313[source]
Just read more into it. You're correct. I think it would be dumb to solely blame MS, but I don't think you can completely absolve them.

this comment right here sums it up:

> Sure, but Windows shares some portion of the blame for allowing third-party security vendors to “shit in the kernel”.

https://news.ycombinator.com/item?id=41006176

replies(1): >>41033074 #
2. roblabla ◴[22 Jul 24 11:11 UTC] No.41033074[source]
Yeah, the fact that Windows requires kernel-level access to be able to do EDR stuff is really unfortunate. MacOS has been very successful with their userspace EndpointSecurity Framework for this purpose.

On the other hand, Linux is similarly crippled: eBPF LSM are fairly recent and don't work everywhere (I'm looking at you Ubuntu[0]), and the only real alternative if you want to be able to block processes is a kernel module. Which comes with the same dangers as Windows.

[0]: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810

replies(1): >>41033470 #
3. sgift ◴[22 Jul 24 12:04 UTC] No.41033470[source]
Well, Microsoft says that's because of the EU commission: https://news.ycombinator.com/item?id=41029590

I have my doubts, but that's at least what they give as the reason for the kernel-level access of EDR tools.