HACKER Q&A
📣 JoyousPepper

Falcon CrowdStrike compromises /dev/urandom security?


I was recently asked to install Falcon CrowdStrike on a personal machine for work. While going about my duties I observed the following strange behaviour, in which /dev/urandom appeared to be leaking files from my local filesystem in the output. Here is a .gif [0] illustrating the behavior.

I have two questions. First, is this behavior expected during the normal operation of Falcon CrowdStrike?

Secondly, and if so, does this not present a significant security risk to all endpoints deployed with CrowdStrike sensor software? My understanding is that /dev/urandom is a source of entropy, and having regular, predictable data being output from /dev/urandom could impact random number generators and other cryptographic primitives.

[0] https://web.archive.org/web/20240221134626/https://i.imgur.com/O4PMDgS.gif

  👤 LinuxBender Accepted Answer ✓
It's hard for me to read that gif. Are you certain this is coming from Crowdstrike, or could it be by chance this was already happening from something else prior to the installation? They would want to know if this is coming from them. If you can show how you were able to confirm Crowdstrike is doing this have your security team open a high priority case with them. Try to increase log level [1] and see if it mentions opening /dev/urandom at the same time this happens. Otherwise you may have to use strace or other methods of capturing system calls from it. Maybe lsof -n will give some clues.

[1] - https://www.dell.com/support/kbdoc/en-us/000178209/how-to-co...