LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

Security researchers blast ‘ridiculous’ CrowdStrike bug disclosure practices

1 year ago 140
BOOK THIS SPACE FOR AD
ARTICLE AD

The vulnerability might not be noteworthy, but the reporting process may be

Security researchers blast 'ridiculous' CrowdStrike bug disclosure practices

A security firm has criticized CrowdStrike for operating a “ridiculous” bug bounty disclosure program following a sensor flaw report.

In April, Pascal Zenker, a partner of Swiss security analyst service Modzero AG, discovered a vulnerability in CrowdStrike Falcon Sensor, agent software used to transmit data to the Falcon endpoint security platform.

The vulnerability, tracked as CVE-2022-2841, allowed attackers to exploit and bypass the one-time generated token check used to uninstall the sensors on Windows devices, thereby cutting security event data streams and potentially leaving the machine vulnerable to further compromise by malware.

The team created an automated proof-of-concept (PoC) tool to corrupt the sensor and ignore the token check in Falcon versions 6.31.14505.0 and 6.42.15610.

However, the attacker already needed administrator privileges to achieve this security bypass, relegating the potentially high-risk vulnerability to a low-severity issue.

Modzero says the bug wasn’t “worth a tweet” as the “overall risk of the vulnerability is very limited,” however, the alleged response of CrowdStrike was worth commenting on.

“We’d like to shed some light on a ridiculous vulnerability disclosure process with CrowdStrike,” the company tweeted.

Third-party program

According to a security advisory published Monday (August 22), Modzero expected a clean-cut vulnerability disclosure process from the Nasdaq-listed IT firm. However, Modzero says the “communication and disclosure with CrowdStrike was tedious and turned unprofessional in the end”.

CrowdStrike runs a bug bounty program through HackerOne. The bone of contention appeared that CrowdStrike wanted Modzero to submit the vulnerability through the program. Still, the company did not want to agree to the program’s terms, which were said to include signing a mutual non-disclosure agreement.

Modzero said it requested a direct security contact outside of HackerOne, and after months of emails, the company submitted a draft security advisory in late June, together with a PoC.

Read more of the latest bug bounty news

CrowdStrike said bug replication had not been possible on more recent software versions. Modzero requested a trial version of the latest software, which was allegedly denied.

“As the issue was not considered valid, we informed CrowdStrike that we would release the advisory to the public,” Modzero commented.

“In response, CrowdStrike tried again to set up a bug bounty disclosure meeting between ‘Modzero’s sr Leadership and CrowdStrike CISO [...] to discuss [the] next steps related to the bug bounty disclosure’ in contrast to our previously stated disclosure rules.”

Modzero said it then acquired a recent version of the software and verified the vulnerability still existed. However, the exploit code had been flagged as malicious – an alleged change that was easily remedied by tweaking the exploit code.

Advisory published

Modzero has since published the security advisory, criticizing the cybersecurity firm for being inflexible outside its “NDA-ridden bug bounty program”.

“[We concluded] that CrowdStrike tried to “fix” the issue while being told the issue didn’t exist. Which is pretty disrespectful to us,” Modzero commented.

When approached for comment, CrowdStrike directed us to a statement posted on Reddit on Monday (August 22) that links back to Modzero’s advisory.

The cybersecurity firm says that the main problem is a fail-open condition in the Microsoft Installer (MSI) harness, and the issue has been reported to the relevant parties.

According to the company, controlling it would require moving away from the MSI framework. The vulnerability could only be exploited with specialized software, local admin access, privilege elevation, and an endpoint reboot.

CrowdStrike informed customers in July.

“Detection logic was also added to the sensor to try to detect this technique and similar ones,” CrowdStrike added. “We thank Modzero for their hard work and disclosure of this incident.”

The Daily Swig has reached out to Modzero with additional queries and we will update when we hear back.

RECOMMENDED Secure Open Source Rewards program launched to help protect critical upstream software

Read Entire Article
  3. Security researchers blast ‘ridiculous’ CrowdStrike bug disclosure practices

Related

We’re going teetotal: It’s goodbye to The Daily Swig

We’re going teetotal: It’s goodbye to The Daily Swig

Bug Bounty Radar // The latest bug bounty programs for March 2023

Bug Bounty Radar // The latest bug bounty programs for March 2023

Indian transport ministry flaws potentially allowed creation of counterfeit driving licenses

Indian transport ministry flaws potentially allowed creation of counterfeit driving licenses

Password managers: A rough guide to enterprise secret platforms

Password managers: A rough guide to enterprise secret platforms

Chromium bug allowed SameSite cookie bypass on Android devices

Chromium bug allowed SameSite cookie bypass on Android devices

Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Trending

1. AP EAMCET Hall Ticket download
2. Vote
3. Rabindranath Tagore
4. David Corenswet
5. Election
6. DC vs RR
7. Manchester United
8. Sunita Williams
9. Rahul Gandhi Congress
10. Anshul Kamboj

Popular

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved