The clock is ticking for IT staff at federal agencies, as they have until the end of Monday to install fixes for a recently-fixed elevation of privilege vulnerability in Windows.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive on Friday requiring federal agencies to install fixes for a Netlogon elevation of privilege vulnerability (CVE-2020-1472) by Sept. 21, 11:59 PM EDT. If left unpatched, an unauthenticated attacker could exploit the flaw to establish a connection to the domain controller via a specially crafted application. The attacker would have domain administrator access and the ability to perform a wide range of activities on the network. The flaw has been named Zerologon by researchers at security company Secura, who discovered the issue.
A potential attack could have a “grave impact,” CISA said.
Applying the security update released by Microsoft last month as part of the August release is the only available mitigation for this critical vulnerability, CISA said in its Emergency Directive 20-04. Agencies are required to apply the Windows Server August 2020 security update to all domain controllers by Monday, and submit reports documenting they have completed the necessary fixes by Sept. 23. Any domain controllers that can’t be updated by the deadline must be removed from agency networks.
“CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” CISA said.
While CISA releases alerts and advisories as needed, but it saves emergency directives (with the power to force federal agencies to do something) for the most serious and time-sensitive issues. Microsoft released the security updates last month, but Secura didn’t publish the technical details until a few days ago. CISA issued the emergency directive because of a combination of factors: a Common Vulnerability Scoring System base score of 10; several proof-of-concept exploits have already been published; Windows Servers are widely used as domain controllers throughout the federal government; and the vulnerability was still widely unpatched even though the update was released more than 30 days ago.
A successful attack on government networks could have a “grave impact,” CISA said.
Agencies are also required to ensure that a process is in place to make sure that newly-provisioned or previously-disconnected domain controller servers have the latest updates deployed before are connected to federal networks.
“These requirements apply to Windows Servers with the Microsoft Entra ID domain controller role in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information,” CISA said.
CISA will provide a report identifying cross-agency status and outstanding issues to the secretary of Homeland Security and the director of Office of Management and Budget by Oct. 5
Microsoft originally assigned the flaw an exploitability assessment score of 2, meaning the risk of exploitation was less likely. That’s because attackers need to already have a presence on the network before they can exploit Zerologon. It is not the kind of vulnerability that would allow attackers a way into the network. However, there are many ways for an attacker to get into the network, and if the domain controller on that network is left unpatched, then the attacker would be able to take control of the whole network.
According to scan activity data collected by GreyNoise Intelligence, there have been "interesting" Kerberos probes which could be considered as the first step in testing for Zerologon, but "very few so far." Of the 12 IP addresses observed, seven appear to be malicious.