Today, we publish a new
advisory
for a vulnerability in the CrowdStrike
Falcon Sensor, that was found by our team-mate Pascal
Zenker as part of a recent red-teaming
engagement.
The vulnerability is a case of insufficient control flow
management, that
allows an attacker with administrative privileges to bypass the Falcon
Agent Uninstall
Protection
feature of CrowdStrike. As the exploit needs high privileges, the
overall risk of the vulnerability is very limited.
While the vulnerability itself might not be worth a blog post, we'd
like to write a few lines about the ridiculous disclosure process.
CrowdStrike is a major vendor in the area of IT security and we expected
a straightforward coordinated disclosure process. To our surprise, the
communication and disclosure with CrowdStrike was tedious and turned
unprofessional in the end. Throughout the whole process, CrowdStrike
pushed us repeatedly to disclose the vulnerability through their
HackerOne bug bounty program, which
would have forced us to agree on the HackerOne Disclosure terms.
We communicated early on that we are neither willing to participate in
any bug bounty program nor sign an
NDA, because
we are the ones, providing information to them. After providing
CrowdStrike with a draft of the security advisory and exploit source
code we were informed that they could not replicate the issue with an
updated version of the sensor. Our request for a 14-day trial version to
verify that ourselves was denied.
As the issue was not considered valid, we informed CrowdStrike that we
would release the advisory to the public. In response, CrowdStrike tried
again to set up a bug bounty disclosure meeting between "modzero's Sr
Leadership" and CrowdStrike CISO "[...] to discuss next steps
related to the bug bounty disclosure" in contrast to our
previously stated disclosure rules.
Sometime later, we were able to acquire an updated version of the sensor
and discovered that parts of the formerly provided exploit code and a
specific msiexec call, are now flagged as malicious behaviour by the
sensor. This leads us to conclude that CrowdStrike tried to "fix" the
issue, while being told the issue didn't exist. Which is pretty
disrespectful to us.
We were able to circumvent the countermeasures introduced silently by
CrowdStrike. With small changes to the exploit, it is now working again
(tested with version 6.42.15610 of the CrowdStrike Falcon software).
We believe that vulnerability disclosure is a two-way street. Vendors,
as well as researchers, should act responsibly and show mutual goodwill
and transparency. Mutual non-disclosure agreements and restrictions
imposed by bug bounty programs limit the disclosure process. Remember,
just because no CVE-IDs are publicly known, does not mean bugs haven't
been reported and fixed. Many bug bounty reports never assign CVE-IDs,
leading to a false perception of security and software quality.
References
Disclosure Timeline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
2022/04 - Found vulnerability in CrowdStrike Falcon Sensor
(6.31.14505.0)
2022/06/04 - modzero asked for security contact @ CrowdStrike,
because their "report a security bug" page only refered
to the hackerone Bug Bounty program.
2022/06/06 - CS answered that modzero can use the hackerone
submission page, or send an E-Mail to their support at
support@crowdstrike.com.
2022/06/06 - modzero asked if it is okay to send sensitive
information about 0day vulnerabilities to support@.
modzero also told CS that we are not willing to accept
terms & conditions of hackerone, which is why we asked
for a direct security contact.
2022/06/06 - CS offered to enroll modzero in a private bug bounty
program at hackerone, under the conditions that we are
willing to sign a mutual non-disclosure agreement.
2022/06/07 - to prevent further misunderstandings, modzero told CS
again, that:
* we would like to submit a security related bug.
* we don't want to participate in any bug bounty
programs.
* we are not willing to sign any NDA because WE are the
ones, providing information to CS.
* we are not willing to accept any sort of terms &
conditions that are out of scope of well known hacker
ethics.
* we only want to get a reliable security contact on
their side.
Aditionally, modzero sent a link to their current
vulnerability disclosure policy.
2022/06/07 - CS told us to send the report to bugs@ for review.
2022/06/13 - CS asked for the report.
2022/06/13 - modzero told CS that we need a little bit more time to
finish and double check everything before submitting.
2022/06/29 - modzero sent Security Advisory (draft), Proof of Concept
exploit sourcecode, executable and a Screencast video of
the PoC to CS.
2022/06/29 - CS told us, that we were testing using only an
unsupported version of the Falcon Sensor. CS told us
about the error message and that they are not able to
reproduce.
2022/07/05 - modzero told CS that the error message can be ignored
and refered to their PoC screencast video. We also asked
for a recent (14-day trial) version of Falcon Sensor to
provide reliable information if the most recent version
is still vulnerable or not.
2022/07/05 - CS answered: "We do not provide trial licenses as part
of this process, however having tested the PoC on our
end with a modern sensor this does not appear to be a
valid issue."
2022/07/05 - modzero announced publishing the advisory and exploit
code by end of week, asking if the quote of CS "Having
tested the PoC on our end with a modern sensor this does
not appear to be a valid issue" can be used in our
report.
2022/07/06 - CS asking for a meeting between modzero's Sr Leadership
and CS to discuss next steps related to the bug bounty
disclosure.
2022/07/07 - modzero, again, told CS, that we are not participating
in any bug bounty program and that there is no need to
discuss NDAs or bug bounty programs.
2022/08/12 - modzero managed to acquire a recent version (6.42.15610)
of CrowdStrike Falcon and verified, that the attack is
still possible. Furthermore, modzero figured out that
the vulnerability (that was rejected by CrowdStrike
first) has been silently fixed: The PoC that has been
sent to CrowdStrike was flagged as malicious. The
msiexec call of the deinstaller was also flagged as
malicious. Both "countermeasures" can be circumvented
easily, we updated the exploit accordingly.
2022/08/22 - modzero publishes Security Advisory and exploit
code, because CrowdStrike was unwilling to set up
a cooperative information exchange outside of their
NDA-ridden BugBounty program to discuss vulnerabilities
in their products.
|