Crowdstrike: Elaboration on previous preliminary Post Incident Review
So the cause of the issue was they put an interpreter (regex interpreter) in the kernel Ring 0… then provided only 20 values of expected 21 (and did not have a line of code checking that args.length >= 21)?!?!
And then did not test it???
“Rapid Response Content is delivered through Channel Files and interpreted by the sensor’s Content Interpreter, using a regular-expression based engine.”
Sensors that received the new version of Channel File 291 carrying the problematic content were exposed to a latent out-of-bounds read issue in the Content Interpreter. At the next IPC notification from the operating system, the new IPC Template Instances were evaluated, specifying a comparison against the 21st input value. The Content Interpreter expected only 20 values. Therefore, the attempt to access the 21st value produced an out-of-bounds memory read beyond the end of the input data array and resulted in a system crash.”
