Published on Aug 25, 2022
A VMware update on some versions of its Carbon Black endpoint solution is causing BSODs and boot loops on Windows machines, according to multiple organisation.
Several PCs began booting into blue screens with the stop code PFN_LIST_CORRUPT. This was apparently caused by a change in ruleset by the company, which agreed to be acquired by Broadcom in May.
It was reported on Twitter that threat hunter Tim Geschwindt was aware of 50 organisation experiencing the problem, and that Carbon Black’s endpoint solution was causing “blue screens of death” for devices with sensor versions 3.7.0.1253 (later extending to a broader range of sensors). It appears that the BSODs began at 1430 UTC.
According to one admin on Reddit, “servers and workstations are bluescreening ‘PFN_LIST_CORRUPT’,” while another claims VMware has informed them they are inundated.
According to VMware’s Knowledge Base article, the cause is updated threat research rulesets rolled out to US East, Asia Pacific, and EU cloud regions, which have not caused any problems in internal testing.
VMware says the problem affects devices running sensor versions 3.6.x.x to 3.7.x.x.
It promises that machines will “get the updated ruleset and auto-resolve” as soon as they check in at the VMware Explore event in San Francisco next week.
Admins have been instructed to place affected devices into bypass mode via the Carbon Black Cloud Console to allow them to boot successfully and have the ruleset removed, though a “small subset” may require an additional workaround, so a support ticket should be opened. The Knowledge Base has more information, and Carbon Black users should check for updates.
