On July 19, 2024, a flawed update in CrowdStrike Falcon's channel file 291 led to a logic error that caused Windows systems to crash, resulting in widespread BSOD (Blue Screen of Death) incidents. The impact was severe, disrupting critical infrastructure globally, from grounded flights to halted public transit systems. In fact, you’d have to have been living under a rock to have missed this incident. While this Windows-related incident dominated the headlines, however, a less publicized, but critical, issue was brewing on Linux.

Lurking in the Linux Shadows: eBPF

Regardless of the widespread disruption caused by Windows Blue Screens during the recent CrowdStrike outage, the next significant strike might target Linux systems, and eBPF (extended Berkeley Packet Filter) could be at the center of it. While many focused on the catastrophic effects of the Windows incident, Linux systems face their own quieter, yet equally alarming, issues. eBPF—a popular and powerful, but dangerously invasive technology—poses a significant risk to even the most stable Linux environments.

The Linux Kernel Panic: An Overlooked Disaster

This threat isn’t just theoretical. In June 2024, Red Hat Linux users experienced kernel panics caused by the CrowdStrike Falcon agent running as an eBPF program. Although this incident didn’t cause the same level of public outcry as the Windows BSODs, it underscores a critical risk: eBPF, when improperly managed, can destabilize entire Linux systems. Kernel panics, though less visually dramatic than BSODs, can be equally catastrophic, especially in environments running mission-critical services.

eBPF operates in the kernel space, allowing it to execute powerful monitoring and security tasks. However, this power comes with significant risk. A minor bug in an eBPF program can lead to system-wide crashes. Consider this simple code example:

int bpf_prog(struct __sk_buff *skb) {
int *ptr = NULL;
*ptr = 42; // Dereferencing a null pointer, leading to a crash
return 0;
}

This code, though simplistic, highlights the potential dangers of eBPF: a single misstep can bring down an entire system. The Linux kernel panic in June was a direct result of such risks, serving as a wake-up call for the Linux community.

A Surge in eBPF Vulnerabilities

eBPF’s flexibility and power have made it a popular tool in modern computing environments, but its increasing complexity has led to a surge in vulnerabilities. Since 2021, there have been 36 CVEs (Common Vulnerabilities and Exposures) related to eBPF, with 10 of them reported in just the first seven months of 2024. These vulnerabilities highlight the inherent dangers of integrating eBPF into production environments.

2024 eBPF-Related CVEs:

CVE-2024-42486
Severity: CVSS 5.5
Description: In Cilium's GatewayAPI controller, changes to ReferenceGrant are not correctly propagated, potentially leading to unauthorized access in versions before 1.15.8 on the 1.15.x branch and 1.16.1 on the 1.16.x branch.

CVE-2024-42488
Severity: CVSS 6.8
Description: A race condition in Cilium’s eBPF-based agent can cause it to ignore critical node labels, resulting in unenforced security policies and potential security breaches.

CVE-2024-42487
Severity: CVSS 4.0
Description: Flaws in Cilium’s Gateway API HTTPRoutes and GRPCRoutes lead to incorrect traffic routing, which could expose systems to unauthorized access.

CVE-2024-37307
Severity: CVSS 7.9
Description: When using the cilium-bugtool with the --envoy-dump flag, sensitive data may be exposed, leading to security breaches in Cilium’s eBPF-based dataplane.

CVE-2024-28860
Severity: CVSS 8.0
Description: A critical vulnerability in Cilium’s IPsec transparent encryption renders encryption ineffective, exposing systems to cryptographic attacks.

CVE-2024-28248
Severity: CVSS 7.2
Description: Inconsistent application of HTTP policies in Cilium allows unauthorized HTTP traffic to bypass security measures, leading to potential data breaches.

CVE-2024-28249
Severity: CVSS 6.1
Description: In Cilium clusters with IPsec enabled, certain traffic may be sent unencrypted, compromising data confidentiality.

CVE-2024-28250
Severity: CVSS 6.1
Description: A flaw in Cilium’s WireGuard implementation can result in unencrypted traffic between nodes, exposing sensitive data to unauthorized access.

CVE-2024-25631
Severity: CVSS 6.1
Description: This vulnerability affects Cilium users with an external key-value store and WireGuard enabled, where traffic between pods is not encrypted, exposing data to interception.

CVE-2024-25630
Severity: CVSS 6.1
Description: Similar to CVE-2024-25631, this vulnerability affects Cilium users storing Cilium state using CRDs, with traffic to and from Ingress and health endpoints being unencrypted, leading to potential security breaches.

These vulnerabilities illustrate the risks posed by eBPF, particularly when it is used in environments requiring high security and stability.

It’s Not Just About CVEs

While the CVEs discussed highlight significant security flaws, they don’t fully capture the risks posed by eBPF. One particularly concerning issue is that kernel panics caused by eBPF programs, like the one observed with the Falcon sensor on Linux, are not even captured as CVEs. Even when classified as a vulnerability, kernel panics, which cause the entire system to crash, are not always classified with high CVSS (Common Vulnerability Scoring System) scores because they often require local privileges to exploit. However, the impact of a kernel panic—especially in production environments—can be devastating.

For example, the kernel panic caused by the Falcon sensor on a Linux kernel version 5.14.0-427.13.1.el9_4.x86_64 was not classified as a CVE. Despite this, the issue was severe enough to prompt a rapid update to the Falcon sensor software.

Ten Key Takeaways About eBPF as a Dangerous Technology

1. Kernel-Level Access: eBPF operates at the kernel level, meaning any bugs or vulnerabilities can have catastrophic consequences, including system-wide crashes.
2. Surge in Vulnerabilities: The number of eBPF-related CVEs has increased dramatically, with 10 reported in just the first half of 2024 alone, indicating growing security concerns.
3. Low Score, High Impact: Many eBPF-related vulnerabilities have low CVSS scores because they require local privileges. However, their impact—like causing kernel panics—is not fully captured by these scores.
4. Complexity Breeds Bugs: eBPF’s complexity makes it more prone to bugs and vulnerabilities, as evidenced by the recent spate of CVEs.
5. Kernel Panics Are Underreported: Issues like kernel panics caused by eBPF programs are often not classified as CVEs, despite their potential to disrupt entire systems.
6. Inconsistent Security Implementations: Vulnerabilities like those in Cilium show that even when eBPF is used in security-focused applications, inconsistencies can lead to significant security risks.
7. Sensitive Data Exposure: Some eBPF vulnerabilities can lead to the exposure of sensitive data, as seen in CVE-2024-37307.
8. Inadequate Encryption: Several CVEs, including CVE-2024-28860 and CVE-2024-28249, reveal that eBPF-based systems may fail to properly encrypt data, leaving it vulnerable to interception.
9. Invasive Technology: eBPF’s deep integration into the kernel makes it a highly invasive technology, amplifying the consequences of any flaws.
10. Need for Rigorous Testing: The high number of vulnerabilities associated with eBPF highlights the need for rigorous testing and validation before deploying it in production environments.

Conclusion: The Next Incident Might Be Linux

The CrowdStrike outage should serve as a warning—not just for Windows users, but for the entire tech industry. While Windows BSODs grabbed headlines, the next threat may be nascent in Linux systems, where eBPF could cause the next major disruption. As eBPF continues to be adopted for more use cases, the risk of catastrophic failures increases unless the industry adopts more stringent testing and validation practices.

The Linux community and the broader tech industry must remain vigilant, ensuring that the power of eBPF is harnessed safely. Without proper safeguards, eBPF could very well be the catalyst for the next major system crash.