US cybersecurity agency issues super-rare emergency directive to patch Windows Server flaw ASAP
Government sysadmins given weekend to fix ZeroLogon elevation of privilege bug, rest of us given stern warning
Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) has taken the unusual step of issuing an emergency directive that gives US government agencies a four-day deadline to roll out a Windows Server patch.
The directive, issued on September 18, demanded that executive agencies to take “immediate and emergency action” to patch CVE-2020-1472, the CVSS-perfect-ten-rated flaw that Dutch security outfit Secura BV said allows attackers to instantly become domain admin by subverting Microsoft's Netlogon cryptography.
This means the bug can “be used to obtain domain admin credentials and then restore the original DC password,” CISA stated.
“This attack has huge impact. It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged a device to an on-premise network port) to completely compromise the Windows domain.”
CISA has directed executive agencies to apply the patch by September 21, as well as strongly urging state and local government agencies, the private sector, and members of the public to update as soon as possible.
“We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary,” the agency warned. CISA issued just two such directives in each of 2018 and 2019. 2020's status as a year of woe has seen it score four of the emergency warnings.
That the agency feels the need to issue one for this flaw is notable given that simply applying Microsoft's August patches would have fixed the problem. Yet US government agencies need the firmest possible prod to get it done. ®