CVE-2022-2841: 
CrowdStrike Falcon Sensor vulnerability analysis and mitigation

A vulnerability was discovered in CrowdStrike Falcon versions 6.31.14505.0/6.42.15610/6.44.15806, identified as CVE-2022-2841. The vulnerability affects the Uninstallation Handler component and was discovered in April 2022 by researchers at modzero AG. The issue relates to insufficient control flow management in the uninstallation protection mechanism of the CrowdStrike Falcon sensor (Modzero Advisory).

The vulnerability is classified as CWE-691: Insufficient Control Flow Management, allowing bypass of the uninstall protection feature. The issue occurs in the Microsoft Installer (MSI) implementation, where the MSI fails open instead of failing closed when a Custom Action terminates without returning. This behavior allows circumvention of the token verification process during uninstallation (SecurityWeek, VulDB).

When exploited, the vulnerability allows an attacker with administrative privileges to bypass the uninstall protection mechanism and remove the CrowdStrike Falcon sensor from the device without proper authorization. This effectively removes the device's EDR and AV protection, leaving the CrowdStrike administrator unaware of potential attacks on the now unprotected endpoint (Modzero Advisory).

The vulnerability can be addressed by upgrading to CrowdStrike Falcon versions 6.40.15409, 6.42.15611, or 6.44.15807. CrowdStrike has also implemented additional security measures to flag potentially malicious uninstallation attempts (VulDB).

The disclosure process of this vulnerability generated significant attention due to communication challenges between modzero AG and CrowdStrike. The researchers expressed frustration with CrowdStrike's insistence on using their bug bounty program and requiring NDAs, leading to a public disclosure of the vulnerability (SecurityWeek).