VMware has admitted an update on some versions of its Carbon Black endpoint solution is responsible for BSODs and boot loops on Windows machines after multiple organizations were affected by the problem.
The issue – where PCs began booting into blue screens, some of which flashed the stop code PFN_LIST_CORRUPT – was apparently caused by a changed ruleset by the recent Broadcom acquisition.
The problem surfaced yesterday, with threat hunter Tim Geschwindt stating on Twitter he knew of about 50 organizations struggling with the issue, and saying the Carbon Black endpoint solution was “causing blue screens of death for devices running sensor version 126.96.36.1993” (later expanded to a broader range of sensors). The BSODs apparently began at 1430 UTC yesterday.
Over on Reddit, one admin says the net effect was “servers and workstations bluescreening ‘PFN_LIST_CORRUPT’,” with another sysadmin saying they had been “told verbally by VMware that they are inundated.”
VMware says in its Knowledge Base article that the cause was some updated threat research rulesets rolled out to cloud regions in the US East, Asia Pacific, and the EU, which, it added, hadn’t caused any trouble in its internal testing.
The problem affects devices running sensor versions from 3.6.x.x to 3.7.x.x, VMware says.
The virtualization giant, which hosts its VMware Explore event in San Francisco next week, has rolled back the rulesets, and promises that as machines check in, they will “get the updated ruleset and auto-resolve.”
Admins have been told to place affected devices into bypass mode via the Carbon Black Cloud Console to allow them to boot successfully and have the ruleset removed, although a “small subset” may require an additional workaround and those looking after them should open a support ticket. There’s more information in the Knowledge Base, and Carbon Black users should check for updates.
The vendor patched critical flaws in Carbon Black’s App Control security tool earlier this year.
Tech analysts at Gartner have predicted that VMware’s new owner, Broadcom, may rationalize some products, noting that both Symantec and the Carbon Black unit offer endpoint protection products. The deal is expected to close before the end of Broadcom’s fiscal 2023, so by October next year.
We have asked VMware for comment. ®