Federal agencies that haven’t patched their Windows Servers against the ‘Zerologon’ vulnerability by Monday Sept. 21 at 11:59 pm EDT are in violation of a rare emergency directive issued by the Secretary of Homeland Security.
With only hours until the deadline for the directive, issued on Friday, to be executed, what is at stake is a “vulnerability [that] poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” according to the Cybersecurity and Infrastructure Security Agency (PDF).
Microsoft released a patch for the vulnerability (CVE-2020-1472) as part of its August 11, 2020 Patch Tuesday security updates. However, earlier this month the stakes got higher for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on Github.
The bug is located in a core authentication component of Active Directory within the Windows Server OS and the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.
“This attack has a huge impact: It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain,” said researchers with Secura, in a whitepaper published earlier this month.
As previous reported, the flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.
“The issue exists in the usage of AES-CFB8 encryption for Netlogon sessions. The AES-CFB8 standard requires that each ‘byte’ of plaintext have a randomized initialization vector (IV), blocking attackers from guessing passwords. However, Netlogon’s ComputeNetlogonCredential function sets the IV to a fixed 16 bits – not randomized – meaning an attacker could control the deciphered text,” according to earlier reporting.
Since the flaw was first identified it has been under active attack. Calls for immediate patching have been unanimous. However, the Monday deadline for patching by CISA suggests still too many systems have not been updated.
“This emergency directive remains in effect until all agencies have applied the August 2020 Security Update (or other superseding updates) or the directive is terminated through other appropriate action,” according to CISA.
The directive is part of the Department of Homeland Security’s “Section 3553(h) of title 44” U.S. Code of Laws.
The directive requires security teams at those affected federal civilian and executive branch departments to update all Windows Servers with the domain controller role by midnight EDT Sept. 21. “If affected domain controllers cannot be updated, ensure they are removed from the network,” the agency said.
Next, agencies must ensure “technical and/or management controls are in place to ensure newly provisioned or previously disconnected domain controller servers are updated before connecting to agency networks,” CISA wrote.
“The availability of the exploit code in the wild increasing likelihood of any upatched domain controller being exploited,” the agency said. It added the widespread presence of the vulnerable domain controllers across the federal enterprise is a concern, coupled with the high potential for agency information systems to be compromised.
The CISA directive orders those agencies, by 11:59 PM EDT, Wednesday, Sept. 23, 2020, to submit a “completion report” to DHS.
“Beginning Oct. 1, 2020, the CISA Director will engage the CIOs and/or Senior Agency Officials for Risk Management of agencies that have not completed required actions, as appropriate and based on a risk-based approach,” read the CISA directive signed by Christopher Krebs, Director, Cybersecurity and Infrastructure Security Agency, within the Department of Homeland Security.