Government agencies in the US have until today to patch a Windows Server vulnerability that could give hackers control over federal networks.
The Department of Homeland Security (DHS) has given system administrators until today (21 September) to patch a critical vulnerability in Windows Server that could allow an attacker to hijack federal networks, via a flaw in the Netlogon authentication system.
On 18 September, the DHS’s cybersecurity division issued an emergency directive giving government agencies a four-day deadline to patch the CVE-2020-1472 vulnerability, also known as Zerologon, citing the “unacceptable risk” it posed federal networks.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
The flaw enables an unauthorized user to assume control of a network via a flaw in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC), by simply sending a series of Netlogon messages with input fields filled with zeros.
Once compromised, an attacker could make themselves domain admin and reset the domain control password, effectively giving them control over the entire network.
CVE-2020-1472 was addressed by Microsoft as part of its
when it was assigned a Common Vulnerability Scoring System (CVSS) score of 10 – the highest possible mark in terms of its severity.
A subsequent investigation by Dutch cybersecurity firm Secura shed further light on just how serious the flaw was. In a report on the Zerologon exploit, the firm said: “This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain.
“The attack is completely unauthenticated: the attacker does not need any user credentials.”
It was following Secura’s report that the US Cybersecurity and Infrastructure Security Agency (CISA) demanded government agencies patch their systems immediately.
In an emergency directive assigned 20-04, DHS CISA said: “CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action.
SEE: Identity theft protection policy (TechRepublic Premium)
Issuing an emergency directive is a rare move from DHS, and highlights just how grave a threat the Zerologon vulnerability poses to government agencies.
Under US law, the Secretary of Homeland Security is authorized to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system…for the purpose of protecting the information system from, or mitigating, an information security threat.”
While the directive only applies to applies to executive government agencies, CISA has advised that state and local government agencies to also apply Microsoft’s August 2020 security, as well as private sector organizations and members of the public.
Bryan Ware, CISA Assistant Director, said in a blog post: “We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary.”