CrowdStrike recently released a new version of the Falcon Sensor for Windows, version 5.19. When the DLP Agent is on the same endpoint system as this version of the sensor, a system crash may occur.
Falcon Sensor 5.19 uses a Windows kernel feature called "Thread Agnostic I/O," which results in I/O Request Packets (IRPs) not being associated with a particular thread. With the DLP Agent service running, the DLP Agent mini-filter driver (vfsmfd.sys) could receive an IRP from the Falcon Sensor kernel component with the current thread context set to NULL. A null check is not implemented in the DLP driver, which results in a Windows system crash.
Symantec and CrowdStrike engineers are working to resolve this issue as quickly as possible.
In the meantime, CrowdStrike has provided a workaround solution at the CrowdStrike community support portal. For details, click here.
UPDATE NOVEMBER 13, 2019: A public hot fix that addresses this issue is available for Data Loss Prevention 15.1 MP2 and 15.5 MP2.
To obtain the hot fix for 15.1 MP2: Download Hotfix_15.1.0207.01003.zip from MySymantec.
To obtain the hot fix for 15.5 MP2: Download Hotfix_15.5.0205.01001.zip from MySymantec.
UPDATE DECEMBER 30, 2019: After a thorough investigation and working closely with CrowdStrike engineers, Symantec has concluded that the issue is not exploitable from user mode, and thus poses no security risk to the DLP Agent. However, the hotfix public hot fix should be applied to avoid the system crash.
Subscribing will provide email updates when this Article is updated. Login is required.