CrowdStrike Agent causing BSOD loop on Windows - Faulty Update on Falcon Sensor.
Vulnerable Version And Products
- Latest version of CrowdStrike Falcon Agent on Windows
Fixes and workaround
- Boot Windows into Safe Mode or the Windows Recovery Environment
- Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
- Locate the file matching
C-00000291*.sys
, and delete it. - Boot the host normally.
We received reports that only the Windows Recovery Environment mode works, as the driver still seems to be loaded in safe mode.
Detection and investigative assessment
- Windows system stuck in a boot loop. There is a blue screen where the mention is “What failed: csagent.sys”.
The “buggy” driver has the following hashes:
- MD5 - 1618cd13c5263720ec958c3b24b9d1c8
- SHA-1 - cb8a27c7347d19bc0b23093a99816dfd8240dbc5
- SHA-256 - ad492bc8b884f9c9a5ce0c96087e722a2732cdb31612e092cdbf4a9555b44362
- SSDEEP - 384:bIy44Wo45c59r/qQqu1QhSn88MyU64guxkP5O84VLv8xB0+Cn:9495c59rSQBG8CJxfexBl0
-
TLSH - T1EF03B83AFA108F99D071C0F7D9370B9EB394AD9C2B8257A37A5DBB3D48B55180DC046A
- Virustotal reference
- MISP event with the “buggy” file available in the MISP OSINT feed
Known affected software in Luxembourg
- Impact currently unknown in Luxembourg but impact seen at least in US, Australia and India.
References
- CrowdStrike Falcon Sensor Windows Crashes
Classification of this document
TLP:CLEAR information may be distributed without restriction, subject to copyright controls.
Revision
- Version 1.0 - TLP:CLEAR - First version - 19th July 2024
- Version 1.1 - TLP:CLEAR - Recovery versus safe mode from users + clarification of the BSOD - 19th July 2024
- Version 1.2 - TLP:CLEAR - IOC of the buggy driver added + MISP reference - 19th July 2024