CVSS3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
AI Score
Confidence
High
On July 19, 2024, a flawed update in CrowdStrike Falconâs channel file 291 led to a logic error that caused Windows systems to crash, resulting in widespread BSOD (Blue Screen of Death) incidents. The impact was severe, disrupting critical infrastructure globally, from grounded flights to halted public transit systems. In fact, youâd have to have been living under a rock to have missed this incident. While this Windows-related incident dominated the headlines, however, a less publicized, but critical, issue was brewing on Linux.
Regardless of the widespread disruption caused by Windows Blue Screens during the recent CrowdStrike outage, the next significant strike might target Linux systems, and eBPF (extended Berkeley Packet Filter) could be at the center of it. While many focused on the catastrophic effects of the Windows incident, Linux systems face their own quieter, yet equally alarming, issues. eBPFâa popular and powerful, but dangerously invasive technologyâposes a significant risk to even the most stable Linux environments.
This threat isnât just theoretical. In June 2024, Red Hat Linux users experienced kernel panics caused by the CrowdStrike Falcon agent running as an eBPF program. Although this incident didnât cause the same level of public outcry as the Windows BSODs, it underscores a critical risk: eBPF, when improperly managed, can destabilize entire Linux systems. Kernel panics, though less visually dramatic than BSODs, can be equally catastrophic, especially in environments running mission-critical services.
eBPF operates in the kernel space, allowing it to execute powerful monitoring and security tasks. However, this power comes with significant risk. A minor bug in an eBPF program can lead to system-wide crashes. Consider this simple code example:
int bpf_prog(struct __sk_buff *skb) {
int *ptr = NULL;
*ptr = 42; // Dereferencing a null pointer, leading to a crash
return 0;
}
This code, though simplistic, highlights the potential dangers of eBPF: a single misstep can bring down an entire system. The Linux kernel panic in June was a direct result of such risks, serving as a wake-up call for the Linux community.
eBPFâs flexibility and power have made it a popular tool in modern computing environments, but its increasing complexity has led to a surge in vulnerabilities. Since 2021, there have been 36 CVEs (Common Vulnerabilities and Exposures) related to eBPF, with 10 of them reported in just the first seven months of 2024. These vulnerabilities highlight the inherent dangers of integrating eBPF into production environments.
CVE-2024-42486
Severity: CVSS 5.5
Description: In Ciliumâs GatewayAPI controller, changes to ReferenceGrant are not correctly propagated, potentially leading to unauthorized access in versions before 1.15.8 on the 1.15.x branch and 1.16.1 on the 1.16.x branch.
CVE-2024-42488
Severity: CVSS 6.8
Description: A race condition in Ciliumâs eBPF-based agent can cause it to ignore critical node labels, resulting in unenforced security policies and potential security breaches.
CVE-2024-42487
Severity: CVSS 4.0
Description: Flaws in Ciliumâs Gateway API HTTPRoutes and GRPCRoutes lead to incorrect traffic routing, which could expose systems to unauthorized access.
CVE-2024-37307
Severity: CVSS 7.9
Description: When using the cilium-bugtool with the --envoy-dump flag, sensitive data may be exposed, leading to security breaches in Ciliumâs eBPF-based dataplane.
CVE-2024-28860
Severity: CVSS 8.0
Description: A critical vulnerability in Ciliumâs IPsec transparent encryption renders encryption ineffective, exposing systems to cryptographic attacks.
CVE-2024-28248
Severity: CVSS 7.2
Description: Inconsistent application of HTTP policies in Cilium allows unauthorized HTTP traffic to bypass security measures, leading to potential data breaches.
CVE-2024-28249
Severity: CVSS 6.1
Description: In Cilium clusters with IPsec enabled, certain traffic may be sent unencrypted, compromising data confidentiality.
CVE-2024-28250
Severity: CVSS 6.1
Description: A flaw in Ciliumâs WireGuard implementation can result in unencrypted traffic between nodes, exposing sensitive data to unauthorized access.
CVE-2024-25631
Severity: CVSS 6.1
Description: This vulnerability affects Cilium users with an external key-value store and WireGuard enabled, where traffic between pods is not encrypted, exposing data to interception.
CVE-2024-25630
Severity: CVSS 6.1
Description: Similar to CVE-2024-25631, this vulnerability affects Cilium users storing Cilium state using CRDs, with traffic to and from Ingress and health endpoints being unencrypted, leading to potential security breaches.
These vulnerabilities illustrate the risks posed by eBPF, particularly when it is used in environments requiring high security and stability.
While the CVEs discussed highlight significant security flaws, they donât fully capture the risks posed by eBPF. One particularly concerning issue is that kernel panics caused by eBPF programs, like the one observed with the Falcon sensor on Linux, are not even captured as CVEs. Even when classified as a vulnerability, kernel panics, which cause the entire system to crash, are not always classified with high CVSS (Common Vulnerability Scoring System) scores because they often require local privileges to exploit. However, the impact of a kernel panicâespecially in production environmentsâcan be devastating.
For example, the kernel panic caused by the Falcon sensor on a Linux kernel version 5.14.0-427.13.1.el9_4.x86_64 was not classified as a CVE. Despite this, the issue was severe enough to prompt a rapid update to the Falcon sensor software.
The CrowdStrike outage should serve as a warningânot just for Windows users, but for the entire tech industry. While Windows BSODs grabbed headlines, the next threat may be nascent in Linux systems, where eBPF could cause the next major disruption. As eBPF continues to be adopted for more use cases, the risk of catastrophic failures increases unless the industry adopts more stringent testing and validation practices.
The Linux community and the broader tech industry must remain vigilant, ensuring that the power of eBPF is harnessed safely. Without proper safeguards, eBPF could very well be the catalyst for the next major system crash.
The post The Other Crowdstrike Outage appeared first on Wallarm.
CVSS3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
AI Score
Confidence
High