A faulty software update issued by CrowdStrike has resulted in a massive outage that’s affected Windows computers around the world, disrupting businesses, airports, train stations, banks, broadcasters, and the healthcare sector.
- While the issue is affecting Windows systems, the cause is a faulty CrowdStrike update.
- CrowdStrike clarified that the outage was not caused by a cyberattack but was the result of a “defect” in a software update for its Falcon Sensor security product.
- According to CrowdStrike, the issue has been identified, isolated, and a fix has been deployed.
Situation
Businesses across the world have been hit by widespread disruptions to their Windows workstations stemming from a faulty update pushed out by cybersecurity company CrowdStrike.
Problem
The defect caused any Windows computers that Falcon is installed on to crash without fully loading, with reports of “Blue Screens of Death” on Windows hosts.
The specifics of what caused the fatal bug appear to be linked to a faulty kernel driver deployed by CrowdStrike known as ‘csagent.sys’, which causes failed boots, preventing its users from opening any installed software.
Additional Impact:
Google Cloud Compute Engine: reports of Windows virtual machines using CrowdStrike’s csagent.sys to crash and go into an unexpected reboot state.
Microsoft Azure: reports of successful recovery from some customers attempting multiple Virtual Machine restart operations on affected Virtual Machines” and that “several reboots (as many as 15 have been reported) may be required.”
Amazon Web Services (AWS): reports they’ve taken steps to mitigate the issue for as many Windows instances, Windows Workspaces, and Appstream Applications as possible, recommending customers still affected by the issue to “take action to restore connectivity.”
Implication
Follow CrowdStrike guidance and maintain best practices for applying updates:
CrowdStrike stated it has identified the issue and a fix has been deployed for its Falcon Sensor product, urging customers to refer to their support portal for the latest updates.
Stay Alert:
Ensure patches you apply are coming directly from CrowdStrike. Of note, CISA has observed threat actors taking advantage of this incident for phishing and other malicious activity. CISA urges organizations and individuals to remain vigilant and only follow instructions from legitimate sources. CISA recommends organizations to remind their employees to avoid clicking on phishing emails or suspicious links.
CISA Alert: https://www.cisa.gov/news-events/alerts/2024/07/19/widespread-it-outage-due-crowdstrike-update
Need
Because this is a dynamic situation, we recommend keeping current with the latest guidance from CrowdStrike: https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/
For systems that have been impacted by the problem, mitigation instructions are listed below:
For Windows systems:
If you have a machine that is impacted by the CrowdStrike update, you can uninstall the faulty driver and restore functionality by following the instructions below:
- Boot Windows in Safe Mode or Windows Recovery Environment
- Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
- Find the file named “C-00000291*.sys” and delete it
- Restart the computer or server normally
AWS EC2 instance: https://health.aws.amazon.com/health/status
Google Cloud: https://status.cloud.google.com/incidents/DK3LfKowzJPpZq4Q9YqP