CISA Emergency Directive Orders Immediate Fix of Windows DNS Server Bug

2020-07-17T15:43:00
ID THREATPOST:363C332F7046A481C24C7172C55CF758
Type threatpost
Reporter Elizabeth Montalbano
Modified 2020-07-17T15:43:00

Description

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is ordering all federal executive branch offices to apply a patch for a wormable Windows Server bug within 24 hours, warning of a “high potential for compromise of agency information systems.”

In an Emergency Directive, the Department of Homeland Security (DHS) agency ordered the “Federal Civilian Executive Branch” to apply a patch Microsoft released Tuesday for the vulnerability, (CVE-2020-1350), by 2:00 pm ET Friday.

“CISA has determined that this vulnerability poses unacceptable significant risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” the agency said in the directive.

Specifically, the directive requires that by the deadline, all of the aforementioned agencies do the following: “Update all endpoints running Windows Server operating systems; ensure the July 2020 Security Update or registry modification workaround is applied to all Windows Servers running the DNS role; ensure the July 2020 Security Update is applied to all Windows Servers and, if necessary and applicable, the registry change workaround is removed; and ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.”

While there is no evidence of current active exploitation of the vulnerability, the CISA based its warning on “the likelihood of the vulnerability being exploited” as well as “the widespread use of the affected software across the Federal enterprise,” and “the grave impact of a successful compromise,” according to the directive.

The CISA emergency directive includes:

  • By 2:00 pm EDT, Friday, July 17, 2020, ensure the July 2020 Security Update or registry modification workaround is applied to all Windows Servers running the DNS role.
  • By 2:00 pm EDT, Friday, July 24, 2020, ensure the July 2020 Security Update is applied to all Windows Servers and, if necessary and applicable, the registry change workaround is removed.
  • By 2:00 pm EDT, Friday, July 24, 2020, ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.

The agency recommends taking equipment offline if it can’t be patched before the CISA deadline.

The vulnerability, a DNS flaw, was one of 123 bugs Microsoft patch in July’s Patch Tuesday, the fifth month in a row the company patched more than 100 vulnerabilities.

CVE-2020-1350 is a remote code-execution vulnerability in the Windows Domain Name System (DNS) Server that was initially discovered by Sagi Tzaik, a researcher at Check Point. That bug exists due to the improper handling of requests sent to Windows DNS servers, according to researchers.

“A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to a vulnerable Windows DNS server,” wrote Satnam Narang, staff research engineer at Tenable, in the company’s Patch Tuesday analysis. “Successful exploitation would allow the attacker to execute arbitrary code under the local system account context,”

Moreover, the vulnerability is wormable, which means it could spread from computer to computer without user interaction, making it all the more dangerous, he said.

Although Emergency Directive 20-03 applies only to certain Executive Branch departments and agencies, the CISA also strongly recommends that all state and local governments, the private sector, and others patch this critical vulnerability as soon as possible.

The CISA has had its hands full lately warning on the exploit likelihood and danger of critical vulnerabilities that have either been discovered or patched in widely used hardware and software.

On July 14, the CISA warned of a critical vulnerability for SAP customers, the successful exploitation of which could open the door for attackers to read and modify financial records; change banking details; read personal identifiable information (PII); and engage in other numerous types of disruptive behavior.

A week before that, the agency urged all administrators to implement an urgent patch for a critical vulnerability in F5 Networks’ networking devices, which is being actively exploited by attackers to scrape credentials, launch malware and more.

The CISA also warned June 30 that foreign hackers were likely to exploit a critical vulnerability, CVE-2020-2021, in a raft of Palo Alto Networks firewalls and enterprise VPN appliances, ordering agencies to patch all affected devices.