Did a font change in a PDF cause the Crowdstrike fail?
Jonathan Fine
jfine2358 at gmail.com
Fri Jul 19 17:11:27 CEST 2024
Hi
This is prompted by today's Crowdstrike anti-virus failure. It has brought
many systems down. Its fix often requires a technician to be physically
present during boot, so that safe-boot and recovery can take place. It will
be a while before this can be done on all affected machines.
The failure was due to a "content update" to Crowdstrike. According to
BBC's Joe Tidy, a content update could be "something innocuous [such] as
changing a font or logo" in the design side of the software. But Joe Tidy
then goes on to ask: "how could a small update do so much damage?"
Indeed. Perhaps unrelated is the vulnerability CVE-2024-4367, announced on
29 May 2024. And the vulnerability is described as "A type check was
missing when handling fonts in PDF.js, which would allow arbitrary
JavaScript execution in the PDF.js context." Codean points out that this
exploit can lead to native code execution on at least one popular electron
app.
This vulnerability was discovered by Codean Labs. It relies on the PDF
standard allowing a PDF document "to specify a custom FontMatrix value
outside of a font, namely in a metadata object in the PDF!" And the lack of
a type check in PDF.js allows arbitrary JavaScript to be executed in the
PDF.js context.
I've no way of knowing what was the cause of the Crowdstrike failure. I do
know that if Crowdstrike used PDF.js then it is plausible that the failure
is a CVE-2024-4367 exploit. We'll have to wait and see. But surely it is
clear that Codean has found yet another serious PDF bug, arising from the
size of the standard and the complexity of the interactions between the
different parts.
I don't recall how I first became aware of this vulnerability. Here are the
URLs I quoted from:
BBC:
https://www.bbc.co.uk/news/live/cnk4jdwp49et?post=asset%3Abd501d28-fe49-4e4e-8605-194da98eeb6c#post
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-4367
Codeanlabs:
https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
The question was did a font change in a PDF cause the Crowdstrike fail? My
answer is maybe, we'll just have to wait and see.
with kind regards
Jonathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/texhax/attachments/20240719/e20f3c4c/attachment.htm>
More information about the texhax
mailing list.