The Department of Homeland Security’s cybersecurity division has ordered federal civilian agencies to install a security patch for Windows Servers, citing “unacceptable risk” posed by the vulnerability to federal networks.
The DHS order was issued via an emergency directive, a rarely-used legal mechanism through which US government officials can force federal agencies into taking various actions.
The target of the DHS’s latest emergency directive is CVE-2020-1472, a vulnerability also known as Zerologon.
The vulnerability is considered extremely dangerous, as it allows threat actors that have a foothold on an internal network to hijack Windows Servers running as domain controllers and effectively take over the entire network.
Microsoft included fixes for the Zerologon vulnerability in the August 2020 Microsoft Patch Tuesday, published on August 11; however, many system administrators did not know how bad the bug really was until this week, on Monday, when security researchers from Secura published a technical report explaining CVE-2020-1472 at the technical level.
This in-depth report was more than enough to allow white-hat and black-hat hackers to create weaponized proof-of-concept Zerologon exploits that went public within hours after the Secura report.
The creation of these exploits, the widespread use of Windows Servers as domain controllers in US government networks, the 10 out of 10 maximum severity rating that the Zerologon bug received, and the “grave impact” of a successful attack is what determined DHS officials to issue a rare emergency directive late Friday afternoon.
“CISA [Cybersecurity and Infrastructure Security Agency] has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” DHS CISA said in Emergency Directive 20-04.
System admins have until Monday to patch
DHS CISA officials gave federal system administrators until the end of day on Monday to patch all their Windows Servers configured as domain controllers (11:59 PM EDT, Monday, September 21, 2020).
Windows Servers that can’t be patched are to be taken offline and removed from the network, the DHS ordered.
The short deadline for applying security updates is primarily due to the ease of exploitation and severe consequences of a successful Zerologon attack.
Even if Zerologon is not one of those vulnerabilities that can’t be used as the tip of the spear in a cyber-attack and break into a network, the bug is an ideal secondary payload in the second stage of an attack, allowing hackers full control over an entire network if the domain controller was left unpatched.
This entire week, the entire cyber-security community has repeatedly warned about how dangerous this vulnerability really is, despite being a “second stage” exploit.
“You must prioritize patching over detection with this kind of bug,” Andrew Robbins, Adversary Resilience Lead at cyber-security firm SpecterOps, said earlier today on Twitter.
“Once an attacker owns your DC, their persistence options far exceed what even the most advanced organizations can hope to recover from,” Robbins added. “An ounce of patching is worth 10 tons of response.”