In a rare emergency directive, CISA in the US asked all Federal Agencies to immediately deploy last month’s Windows Security Update to remediate a critical vulnerability in Netlogon.
The US Department of Homeland Security is again stressing the severity of a vulnerability recently disclosed in Microsoft Windows Netlogon Remote Protocol that could let an attacker with network access completely compromise all Active Directory identity services.
Privilege Escalation Flaw
The vulnerability, a privilege escalation flaw that received a 10 out of 10 score on the Common Vulnerability Scoring System (CVSS) v3.0 vulnerability severity scale, was 1st patched back in Aug. but went ‘under the radar’ of many until last week, when Secura, a Dutch security firm, published a paper outlining the vulnerability.
Exploit code for the flaw was posted online shortly afterwards.
On Fri., a week after Secura’s disclosure, the DHS’ Cyber-security & Infrastructure Security Agency (CISA) ordered all US Federal Agencies – if they haven’t already – to update any Windows Servers with the domain controller role with the patch by 11:59 PM EDT tonight. If any controllers cannot be updated, CISA is asking admins to remove them from the network.
The agency is also asking US Federal Agencies to make sure that mitigations are in place to ensure that domain controller servers are updated before connecting them to agency networks.
“In addition to agencies using their vulnerability scanning tools for this task, CISA recommends that agencies use other means to confirm that the update has been properly deployed,” the agency wrote,
“These requirements apply to Windows Servers with the Active Directory domain controller role in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.”
The 2nd part of CISA’s directive requires Department-level Chief Information Officers (CIOs) of agencies to submit a completion report acknowledging that the vulnerability has been patched.
The report asks organisations how many Windows Servers with the Active Directory Domain Controller role the organisation is currently overseeing, how many are patched, how many are removed from the network, & how many are unsupported, or end of life, but still on the network.
CISA also wants to make sure each organisation has technical controls in place to ensure that any new or previously disconnected domain controllers have the August update before they’re connected again; it also wants to know if organisations ran into any issues patching the flaw.
It is the 4th Emergency Directive issued by CISA since the agency’s inception & the 3rd so far this year.
The other 2, also involved vulnerabilities in Windows operating systems; one that addressed weaknesses in how Windows validates Elliptic Curve Cryptography (ECC) certificates & how Windows handles connection requests in the Remote Desktop Protocol (RDP) server & client & another that resolved a remote code execution vulnerability in how Windows Server runs the DNS Server role.