Happy Monday! 

Today is not Wednesday (my usual day for posting) and you still have a full week ahead of you!  However, due to the massive issues that occurred on Friday (CrowdStrike + Microsoft) I felt sending out my weekly newsletter a bit earlier in the week was appropriate.  First off, the elephant in the room where 8.5 million endpoints were affected by a single “content update” that affected a security tool had the consequences of breaking multiple industries systems across the globe. 

I have also been asked by several customers if SentinelOne has the same potential for occurring, and the quick answer is no. For one, SentinelOne does not manipulate mechanisms within the Kernal with their Content Updates.  Secondly, their agent updates are fully controlled by the customers – you determine how slow or fast you wish to push those updates. 

This incident's aftermath will still unfold over weeks, months, or even years.  When something can take down government agencies, airlines, and other organizations in this manner, there will be conversations about how this happened and how it will not happen again. 

As for the rest of this week’s updates....here you go! 

CrowdStrike Outage and Updates 

This outage was due to a Kernel update for the Falcon product line, their flagship EDR 

• Content Updates are typically pushed automatically, without any input from the Organization – as this is how CrowdStrike (and many others) feel is best to get updates to the endpoints quickly 
• Unfortunately, this update causes a BSOD (Blue Screen of Death) because it faulted at the Kernel level for Windows system 
• This outage caused massive outages across every sector in the world, and global outages, including some statistics from their own website 
• 298 of the Fortune 500 
• 538 of the Fortune 1000 
• 8 out of the top 10 Financial services firms 
• 7 out of the top 10 manufacturers 
• 8 out of the top 10 food & beverage companies 
• 8 out of the top 10 auto companies 
• 43 of the 50 U.S. states 
• 6 out of the top 10 healthcare providers 
• 8 out of the top 10 technology firms 
• Several people I am connected to on LinkedIn showed signs of the BSOD at gas stations, local gyms, airports, etc. 
• I had friends reaching out telling me how their network went down due to the issue, and they were mainly a Chrome Book environment – so you ask how? Active Directory is their DNS/DHCP controllers, when that goes down everything follows. 
• Recovery was a bit of a nightmare, which I have heard CrowdStrike is working to help customers. However, it does currently require gaining Safe Boot to delete certain files – remote users? BitLocker? Those two variables are a nightmare to work through. 
• I know one person reading this email is probably having a panic attack as he reads this part about BitLocker key being required to access Safe Boot 
• Having a BCP/DR plan for these types of outages are not really considered, even though they should be – also understanding what your critical services can do instead of blindly trusting the developers 
• Some users lucked out – either their systems were offline (for whatever reason) and did not get the update, or constantly rebooting the system finally allowed the fixed version to be updated before Falcon went online (I have heard it could take up to 15 reboots to get that one to work) 
• For me, I was making a purchase and had to wait for a statewide website to come back online before it could be finalized – that happened between 4:45P and 5P CST.  The funny part is that the front-end portion never went off, but the authentication portion would never work – telling me that the web app was probably Linux based and the backend was a Windows based database server. 

Link (1): https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/ 

Link (2): https://www.wired.com/story/microsoft-windows-outage-crowdstrike-global-it-probems/ 

Link (3): https://lifehacker.com/tech/fix-the-crowdstrike-bug-with-usb-drive  

Cisco Smart Software Manager Vulnerability CVE-2024-20419 

CVE-2024-20419 (score of 10): Vulnerability within the authentication system of Cisco Smart Software Manager On-Premises (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users 

• This occurred due to improper implementation of the password-change process, where an attacker could exploit this by sending crafted HTTP requests to an affected device. 
• Successful exploitation would allow an attacker to access the web UI or API with the privileges of the compromised user 
• Patches have been released, and Cisco is not seeing any exploitation in the wild 

Link (1):  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy 

Link (2): https://thehackernews.com/2024/07/cisco-warns-of-critical-flaw-affecting.html 

Critical Security Flaw in Cisco Secure Email Gateway: CVE-2024-20401 

CVE-2024-20401 (score of 9.8): vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operation system 

• This is due to an improper handling of email attachments when file analysis and content filters are enabled, where an attacker could exploit this by sending an email that contains a crafted attachment through an affected device 
• A successful exploit could allow the attacker to replace any file on the underlying file system, and then perform any of the following actions: add users with root privileges, modify the device config, execute arbitrary code, or cause a permanent DoS condition on the affected device 
• Devices not affected by this would include Secure Email and Web Manager, and Secure Web Appliance 
• The vulnerability affects Cisco Secure Email Gateway IF it is running a vulnerable release of Cisco AsyncOS and BOTH of the following conditions are met 
• Either the file analysis feature, which is part of Cisco AMP, or the content filter feature is enabled and assigned to an incoming mail policy 
• Content Scanner Tools version is earlier than 23.3.0.4823 

Link (1): https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-afw-bGG2UsjH 

Link (1): https://thehackernews.com/2024/07/cisco-warns-of-critical-flaw-affecting.html 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!