Community Alert: CrowdStrike Update Triggering Blue Screen of Death

Click here to download this Community Alert as a PDF: Community Alert: CrowdStrike Update Triggering Blue Screen of Death

There are widespread reports of a CrowdStrike Falcon sensor update triggering Windows hosts to display the dreaded Blue Screen of Death (BSOD), rendering them inoperable. Older hosts still running Windows 7/2008 R2 are not impacted. The flawed update was pushed at 4:09 AM UTC and CrowdStrike has reverted those changes. As a result, hosts that booted up after 5:27 AM UTC should not experience any issues.

EVERY ORGANIZATION SHOULD IMMEDIATELY ASSESS YOUR SYSTEMS AND DETERMINE POTENTIAL IMPACT. KEY VENDORS AND SUPPLIERS MAY ALSO BE IMPACTED.

CrowdStrike’s CEO, George Kurtz, released a statement on the social media platform X that the problems are caused by a “defect found in a single content update for Windows hosts.”

“Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website,” Kurtz added.

What You Need to Do:

Windows hosts that have not been impacted do not require any action as the problematic channel file has been reverted.

At the time of this community alert, CrowdStrike has reverted the update, but if you are already impacted CrowdStrike’s alert web page recommends the following remediation steps:

Workaround Steps for Individual Hosts:

• Reboot the host to allow it to download the reverted channel file. If the host crashes again, then:
  • Boot Windows into Safe Mode or the Windows Recovery Environment.
    • NOTE: Putting the host on a wired network (as opposed to WiFi) and using Safe Mode with Networking can help remediation.
  • Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory.
  • Locate the file matching “C-00000291*.sys”, and delete it.
  • Boot the host normally.

Note: Hosts with BitLocker drive encryption enabled may require a recovery key.

Workaround Steps for public cloud or similar environment including virtual:

Option 1:

• ​​​​​​​Detach the operating system disk volume from the impacted virtual server.
• Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes.
• Attach/mount the volume to a new virtual server.
• Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory.
• Locate the file matching “C-00000291*.sys”, and delete it.
• Detach the volume from the new virtual server.
• Reattach the fixed volume to the impacted virtual server.

Option 2:

• ​​​​​​​Roll back to a snapshot before 0409 UTC.

Check Your Suppliers 

Assess any potential impacts on your operations. Proactively reach out to key suppliers such as MSPs, software vendors, and cloud providers and ask them to confirm whether they or any of their partners or service providers are impacted. Make sure to give your suppliers a deadline for responding so that you can coordinate your own response and any customer or public relations notifications.

 

Stay Up-to-Date 

LMG will continue to monitor the developing situation and provide updates as they become available. If you have any questions or need assistance, please contact us.