Ridiculous vulnerability disclosure process with CrowdStrike Falcon Sensor

[[correlate]]

Content source

https://www.modzero.com/modlog/archives/2022/08/22/ridiculous_vulnerability_disclosure_process_with_crowdstrike_falcon_sensor/index.html

Today, we publish a new advisory for a vulnerability in the CrowdStrike Falcon Sensor, that was found by our team-mate Pascal Zenker as part of a recent red-teaming engagement.

The vulnerability is a case of insufficient control flow management, that allows an attacker with administrative privileges to bypass the Falcon Agent Uninstall Protection feature of CrowdStrike. As the exploit needs high privileges, the overall risk of the vulnerability is very limited.
While the vulnerability itself might not be worth a blog post, we'd like to write a few lines about the ridiculous

Ridiculous vulnerability disclosure process with CrowdStrike Falcon Sensor | mod%log

We found a security related issue in most recent CrowdStrike Falcon Sensor. The bug itself is not worth a blogpost, as the severity is pretty low. However, we'd like to shed some light on a vulnerability submission and disclosure process with CrowdStrike: It was pretty weird.

www.modzero.com

 

[upnorth]

Base Score: 2.7 LOW

NVD - CVE-2022-2841

nvd.nist.gov

So yeah, not the biggest issue in town.

The fuss seems to be the possible handle of the disclosure process from CS side. But there's some info on Reddit from one of their engineers about that:

Spoiler

 

[Freki123]

If you read the disclosure timeline at the end it reads for me like it's not about the bug but about the amount of times Crowdstrike wanted to enroll them into their BugBounty programm which had an NDA. They clearly stated numerous times that the didn't wanted to enroll they just wanted to report and not be bound by an NDA.