Issue Summary: Customers have been affected by a defect identified in a specific content update for CrowdStrike Falcon agent for Windows hosts, causing system crashes and blue screen of death (BSOD).
Published Date: July 19, 2024
Impact: Blue screen of death, unavailability
Severity: Critical
FAQ:
Q: What are the symptoms of the issue and automated resolution?
- Symptoms include hosts experiencing a bug check\blue screen error related to the Falcon Sensor.
- Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted.
- Windows hosts that are bought online after 0527 UTC will also not be impacted.
- This issue is not impacting Mac- or Linux-based hosts.
- Channel file “C-00000291*.sys” with timestamp of 0527 UTC or later is the reverted (good) version.
- Channel file “C-00000291*.sys” with timestamp of 0409 UTC is the problematic version.
Q: What are recommended actions to manually resolve this issue?
- CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes. If hosts are still crashing and unable to stay online to receive the channel file changes, the following steps can be used to work around this issue:
Workaround steps for individual hosts:
- Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then:
- Boot Windows into safe mode or the Windows recovery environment
- Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys” and delete it.
- Boot the host normally.
Note: Bitlocker-encrypted hosts may require a recovery key.
Workaround steps for public cloud or similar environment including virtual machines:
Option 1:
- Detach the operating system disk volume from the impacted virtual server
- Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
- Attach/mount the volume to a new virtual server
- Navigate to the %WINDIR%\\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys” and delete it.
- Detach the volume from the new virtual server
- Reattach the fixed volume to the impacted virtual server
Option 2:
- Roll back to a snapshot before 0409 UTC.
Workaround steps for Azure via serial
- Login to Azure console –> Go to Virtual Machines –> Select the VM
- Upper left on console –> Click: “Connect” –> Click –> Connect –> Click “More ways to Connect” –> Click : “Serial Console”
- Step 3: Once SAC has loaded, type in ‘cmd’ and press enter.
- type in ‘cmd’ command
- type in: ch -si 1
- Press any key (space bar). Enter Administrator credentials
- Type the following:
- bcdedit /set {current} safeboot minimal
- bcdedit /set {current} safeboot network
- Restart VM
- Optional: How to confirm the boot state? Run command:
- wmic COMPUTERSYSTEM GET BootupState
Latest updates from CrowdStrike
- 2024-07-19 05:30 AM UTC | Tech Alert Published.
- 2024-07-19 06:30 AM UTC | Updated and added workaround details.
- 2024-07-19 07:08 AM UTC | CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.
- 2024-07-19 07:32 AM UTC | Added PR coverage