The Cybersecurity and Infrastructure Security Agency (CISA) of the United States Department of Homeland Security has given all government agencies 24 hours to correct a critical vulnerability in Windows Server.
An emergency directive was issued yesterday directing agencies to implement patches or mitigations before 2pm EDT today to resolve the CVE-2020-1350 vulnerability, also known as SIGRed.
The flaw is a remote code execution vulnerability that exists in the way that Windows Server is configured to run the Domain Name System (DNS) server role.
An unauthenticated attacker can exploit the vulnerability by sending malicious requests to a Windows DNS server. The attacker could execute arbitrary code in the context of the local system account.
According to the emergency directive, “CISA has determined that this vulnerability represents an unacceptable significant risk for the Federal Civil Executive Branch and requires immediate and emergency action.”
Microsoft released a software update on July 14 to mitigate this critical flaw in Windows Server operating systems. CISA is now directing all government agencies to apply the solution to each Windows server running the DNS function and to submit an initial status report by 2 pm EST on Monday, July 20.
For Lamar Bailey, director of security research and development at Tripwire, the urgency of the CISA board is understandable.
“CVE-2020-1350 (SIGRed) is one of the most serious vulnerabilities revealed this year,” said Bailey. “It has a CVSS score of 10.”
CISA said “it is not aware of the active exploitation of this vulnerability,” but Bailey believes that even if this is the case, the situation could change in the immediate future.
“It is plausible to believe that this is currently being exploited in the wild or will be very soon,” said Bailey. “It is time to burn the midnight oil and repair it as soon as possible.”
CISA’s actions come after experts warned of the dangers of SIGRed earlier this week. Gill Langston, nerdy head of security at SolarWinds MSP, urged administrators to address the vulnerability as a “number one priority” after the patch was released on Tuesday.
US government agencies have until 2 p.m. EST on Friday, July 24 to submit a final report, confirming that the vulnerability has been neutralized.
