The U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) asked federal authorities to update all their Windows systems that are vulnerable to the CVE-2020-1472 bug. In an emergency directive, the agencies urged to update all Windows Servers with the domain controller role in any information systems which collects, processes, stores, transmits, disseminates, or maintains agency information.
The vulnerability dubbed as “Zerologon” affects Windows Server 2008 and onwards. An attacker can exploit the flaw by leveraging the Netlogon Remote Protocol to get a connection to the domain controller.
Patch Unfinished
Microsoft patched the vulnerability in its August Patch Tuesday last month. According to CISA, several proof-of-concept exploits caused widespread concern across the industry and the bug was unpatched in many government agencies. The vulnerability could allow attackers to hijack the Windows domain controller. All an attacker requires is local network access, which is also why it cannot be performed directly over the internet. However, if an attacker sets their foothold in the target environment, they can change the administrator password on any Windows Domain Controller they can reach.
CISA stated that the vulnerability may cause severe security risks to the Federal Civilian Executive Branch. The determination of the vulnerability is based on:
The availability of the exploit code in the wild increasing likelihood of any unpatched domain controller being exploited.
The widespread presence of the affected domain controllers across the federal enterprise.
The high potential for a compromise of agency information systems.
The grave impact of a successful compromise.
The continued presence of the vulnerability more than 30 days since the update was released.
“Update all Windows Servers with the domain controller role. Apply the August 2020 Security Update to all Windows Servers with the domain controller role. If affected domain controllers cannot be updated, ensure they are removed from the network. And ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected domain controller servers are updated before connecting to agency networks,” the emergency directive added.
