An emergency directive ordered some US Federal Agencies to apply Microsoft’s patch for a critical DNS vulnerability by Fri, July 17 at 2p.m. (ET).
The US Cybersecurity & Infrastructure Security Agency (CISA) is ordering all federal executive branch offices to apply a patch for a wormable Windows Server bug within 24 hours, warning of a “high potential for compromise of agency information systems.”
In an Emergency Directive, the US Department of Homeland Security (DHS) agency ordered the “Federal Civilian Executive Branch” to apply a patch Microsoft released Tues. for the vulnerability, (CVE-2020-1350), by 2.00 pm ET Friday.
“CISA has determined that this vulnerability poses unacceptable significant risk to the Federal Civilian Executive Branch & requires an immediate & emergency action,” the agency explained in the directive.
The directive requires that by the deadline, all of the mentioned agencies do the following:-
“Update all endpoints running Windows Server operating systems; ensure the July 2020 Security Update or registry modification workaround is applied to all Windows Servers running the DNS role, ensure the July 2020 Security Update is applied to all Windows Servers &, if necessary & applicable, the registry change workaround is removed, & ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.”
While there is no evidence of current active exploitation of the vulnerability, the CISA based its warning on “the likelihood of the vulnerability being exploited” as well as “the widespread use of the affected software across the Federal enterprise,” & “the grave impact of a successful compromise,” according to the directive.
The CISA emergency directive includes:
- By 2:00 pm EDT, Friday, July 17, 2020, ensure the July 2020 Security Update or registry modification workaround is applied to all Windows Servers running the DNS role.
- By 2:00 pm EDT, Friday, July 24, 2020, ensure the July 2020 Security Update is applied to all Windows Servers &, if necessary & applicable, the registry change workaround is removed.
- By 2:00 pm EDT, Friday, July 24, 2020, ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.
The agency recommends taking equipment offline if it cannot be patched before the CISA deadline.
The vulnerability, a DNS flaw, was one of 123 bugs Microsoft patch in July’s Patch Tuesday, the fifth month in a row the company patched more than 100 vulnerabilities.
CVE-2020-1350 is a remote code-execution vulnerability in the Windows Domain Name System (DNS) Server that was initially discovered by Sagi Tzaik, a researcher at Check Point. That bug exists due to the improper handling of requests sent to Windows DNS servers, according to researchers.
“A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to a vulnerable Windows DNS server,” stated Satnam Narang, Staff Research Engineer at Tenable, in the company’s Patch Tuesday analysis. “Successful exploitation would allow the attacker to execute arbitrary code under the local system account context,”
Also, the vulnerability is wormable, which means it could spread from computer to computer without user interaction, making it all the more dangerous, he commented.
Although Emergency Directive 20-03 applies only to certain Executive Branch departments & agencies, the CISA also strongly recommends that all state & local governments, the private sector, & others patch this critical vulnerability as soon as possible.
The CISA has had its hands full lately warning on the exploit likelihood & danger of critical vulnerabilities that have either been discovered or patched in widely used hardware & software.
On July 14, the CISA warned of a critical vulnerability for SAP customers, the successful exploitation of which could open the door for attackers to read & modify financial records; change banking details; read personal identifiable information (PII); & engage in other numerous types of disruptive behaviour.
A week before that, the agency asked all administrators to implement an urgent patch for a critical vulnerability in F5 Networks’ networking devices, which is being actively exploited by attackers to scrape credentials, launch malware & more.
The CISA also warned June 30 that foreign hackers were likely to exploit a critical vulnerability, CVE-2020-2021, in a raft of Palo Alto Networks firewalls & enterprise VPN appliances, ordering agencies to patch all affected devices.