Connect with us
X
Categories:

Technology

Security researchers criticize CrowdStrike for operating a “ridiculous” bug bounty disclosure program

Published

on

Security researchers criticize CrowdStrike for operating a “ridiculous” bug bounty disclosure program
Share this post:

The vulnerability might not be noteworthy, but the reporting process may be.

A security firm has criticized CrowdStrike for operating a “ridiculous” bug bounty disclosure program following a sensor flaw report.

In April, Pascal Zenker, a partner of Swiss security analyst service Modzero AG, discovered a vulnerability in CrowdStrike Falcon Sensor, agent software used to transmit data to the Falcon endpoint security platform.

The vulnerability, tracked as CVE-2022-2841, allowed attackers to exploit and bypass the one-time generated token check used to uninstall the sensors on Windows devices, thereby cutting security event data streams and potentially leaving the machine vulnerable to further compromise by malware.

The team created an automated proof-of-concept (PoC) tool to corrupt the sensor and ignore the token check in Falcon versions 6.31.14505.0 and 6.42.15610.

However, the attacker already needed administrator privileges to achieve this security bypass, relegating the potentially high-risk vulnerability to a low-severity issue.

Modzero says the bug wasn’t “worth a tweet” as the “overall risk of the vulnerability is very limited”, however, the alleged response of CrowdStrike was worth commenting on.

“We’d like to shed some light on a ridiculous vulnerability disclosure process with CrowdStrike,” the company tweeted.

Third-party program

According to a security advisory published Monday (August 22), Modzero expected a clean-cut vulnerability disclosure process from the Nasdaq-listed IT firm. However, Modzero says the “communication and disclosure with CrowdStrike was tedious and turned unprofessional in the end”.

CrowdStrike runs its bug bounty program through HackerOne. The bone of contention appeared that CrowdStrike wanted Modzero to submit the vulnerability through the program. Still, the company did not want to agree to the program’s terms, which were said to include signing a mutual non-disclosure agreement.

Modzero said it requested a direct security contact outside of HackerOne, and after months of emails, the company submitted a draft security advisory in late June, together with a PoC.

CrowdStrike said bug replication had not been possible on more recent software versions. Modzero requested a trial version of the latest software, which was allegedly denied.

“As the issue was not considered valid, we informed CrowdStrike that we would release the advisory to the public,” Modzero commented.

“In response, CrowdStrike tried again to set up a bug bounty disclosure meeting between ‘Modzero’s sr Leadership and CrowdStrike CISO […] to discuss [the] next steps related to the bug bounty disclosure’ in contrast to our previously stated disclosure rules.”

Modzero said it then acquired a recent version of the software and verified the vulnerability still existed. However, the exploit code had been flagged as malicious – an alleged change that was easily remedied by tweaking the exploit code.

Advisory published

Modzero has since published the security advisory, criticizing the cybersecurity firm for being inflexible outside its “NDA-ridden bug bounty program”.

“[We concluded] that CrowdStrike tried to ‘fix’ the issue while being told the issue didn’t exist. Which is pretty disrespectful to us,” Modzero commented.

When approached for comment, CrowdStrike directed us to a statement posted on Reddit on Monday (August 22) that links back to Modzero’s advisory.

The cybersecurity firm says that the main problem is a fail-open condition in the Microsoft Installer (MSI) harness, and the issue has been reported to the relevant parties.

According to the company, controlling it would require moving away from the MSI framework. The vulnerability could only be exploited with specialized software, local admin access, privilege elevation, and an endpoint reboot.

CrowdStrike informed customers in July.

“Detection logic was also added to the sensor to try to detect this technique and similar ones,” CrowdStrike added. “We thank Modzero for their hard work and disclosure of this incident.”

Following the publication of this article, CrowdStrike spokesperson Kevin Benacci told Daily Swig:

We want to set the record straight on how this situation transpired. As both parties have stated, we engaged with Modzero immediately upon receipt of them reporting the issue on June 29. As Modzero has indicated, the issue reported is with Microsoft’s MSI implementation and requires local access and admin privileges.

On July 8, less than 10 days of receipt of this initial report, we notified all Falcon customers via a Technical Alert (crediting Modzero), and we subsequently reported the MSI bug to Microsoft. We attempted to continue the dialogue with Modzero in early July to no avail and did not hear from them over the past six plus weeks until yesterday, when they published their blog. In line with industry best practices, we are committed to engaging with the research community in a positive and professional manner that protects customers.

Responsible and timely disclosure is an important part of the process of building trust and supporting the security community, which is why CrowdStrike runs an open and transparent bug bounty program with partners such as HackerOne.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Chief Oyerigha Echo Toikumoh - The Earlier The Better
Music1 month ago

[Music] Chief Oyerigha Echo Toikumoh – The Earlier The Better

Enzo Maresca and Mikel Arteta stated they will not take Pep Guardiola's place at Manchester City
Sports1 month ago

Enzo Maresca and Mikel Arteta stated they will not take Pep Guardiola’s place at Manchester City

Alan Shearer reckons Liverpool star is ‘not going to get better’
Sports1 month ago

Alan Shearer reckons Liverpool star is ‘not going to get better’

NECO examiners threaten nationwide protest over unpaid entitlements
News1 month ago

NECO examiners threaten nationwide protest over unpaid entitlements

Jonathan congratulates Trump on historic election win
News1 month ago

Jonathan congratulates Trump on historic election win

Peter Obi can become president in 2027 — Yunusa Tanko
News1 month ago

Peter Obi can become president in 2027 — Yunusa Tanko

Dua Lipa forced to cancel show after ‘unforeseen safety issues’
Entertainment1 month ago

Dua Lipa forced to cancel show after ‘unforeseen safety issues’

Uzoamaka Onuoha wins Best Female Performance in a feature at AFRIFF 2024
Entertainment1 month ago

Uzoamaka Onuoha wins Best Female Performance in a feature at AFRIFF 2024

'Phoenix Fury' bags Best Film award at the 13th edition of AFRIFF
Entertainment1 month ago

‘Phoenix Fury’ bags Best Film award at the 13th edition of AFRIFF

Vivo begins teasing new Dimensity 9400 flagships internationally
Technology1 month ago

Vivo begins teasing new Dimensity 9400 flagships internationally

Google Pixel 11 and Pixel 11 Pro may trade performance gains for longer battery life
Technology1 month ago

Google Pixel 11 and Pixel 11 Pro may trade performance gains for longer battery life

Manchester United players warned ‘only one is safe’ under Ruben Amorim
Sports1 month ago

Manchester United players warned ‘only one is safe’ under Ruben Amorim

Austin DeAnda given impromptu makeover after he is forced to have haircut in the middle of fight
Sports1 month ago

Austin DeAnda given impromptu makeover after he is forced to have haircut in the middle of fight

IG orders punishment for errant cops
News1 month ago

IG orders punishment for errant cops

Be ready to recover stolen mandate — Ighodalo tells PDP
News1 month ago

Be ready to recover stolen mandate — Ighodalo tells PDP

No part of Ogun will be ceded under my watch — Dapo Abiodun
News1 month ago

No part of Ogun will be ceded under my watch — Dapo Abiodun

Ruger calls out auto tune and hype culture in music
Entertainment1 month ago

Ruger calls out auto tune and hype culture in music

I hate to play same role repeatedly — Actress Bimbo Akintola
Entertainment1 month ago

I hate to play same role repeatedly — Actress Bimbo Akintola

Fans split on Davido, Wizkid, and Burna Boy's Grammy nominations.
Entertainment1 month ago

Fans split on Davido, Wizkid, and Burna Boy’s Grammy nominations

Samsung Galaxy S25 Slim: Leaker reveals launch details for Samsung's rival iPhone 17 Air
Technology1 month ago

Samsung Galaxy S25 Slim: Leaker reveals launch details for Samsung’s rival iPhone 17 Air

Realme names first smartphone to get Android 15 beta worldwide
Technology1 month ago

Realme names first smartphone to get Android 15 beta worldwide

England interim manager tipped for surprise Premier League job
Sports1 month ago

England interim manager tipped for surprise Premier League job

Hakim Ziyech mocks Israeli supporters attacked in Amsterdam
Sports1 month ago

Hakim Ziyech mocks Israeli supporters attacked in Amsterdam

Court jails seven for internet fraud in Kaduna
News1 month ago

Court jails seven for internet fraud in Kaduna

Edo APC criticizes Obaseki’s last-minute appointments
News1 month ago

Edo APC criticizes Obaseki’s last-minute appointments

Edo PDP announces caretaker committee
News1 month ago

Edo PDP announces caretaker committee

Tems makes history after securing 3 nominations for the 67th Grammys
Entertainment1 month ago

Tems makes history after securing 3 nominations for the 67th Grammys

Beyoncé surpasses Jay-Z to become the most nominated artist in Grammy history
Entertainment1 month ago

Beyoncé surpasses Jay-Z to become the most nominated artist in Grammy history

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations
Entertainment1 month ago

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations
Entertainment1 month ago

2025 GRAMMY: Academy unveils category changes ahead of nomination event

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Final Episode 13)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 12)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 11)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 10)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 09)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 08)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 07)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 06)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 05)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 04)

ANE Billboard Hots



Join "ANE sabi" clique

Don't miss a thing, get ogbonge ANE latest updates to fuel your conversation daily.