Federal agencies have 24 hours to update Windows Server
The July 14 ‘Tuesday Patch’ security updates released by Microsoft included a particularly twisted critical vulnerability. CVE-2020-1350, to be formal, or SIGRed as it is known, scored 10 “perfect” under the Common Vulnerability Rating System (CVSS) for good reasons: it is wormable, easy to exploit and probably exploitative.
So likely is it to be exploited that the US Department of Homeland Security’s Homeland Security, Cyber Security and Infrastructure Agency (CISA) has issued an equally rare emergency directive giving government agencies only 24 hours to upgrade Windows Server or apply other mitigations.
Why is SIGRed so dangerous?
SIGRed was discovered by researchers at Check Point and is a vulnerability within the implementation of the Windows Domain Name System (DNS) service. Microsoft has confirmed that the vulnerability affects all versions of Windows Server.
The vulnerability of Windows, which can be published, could allow attackers to gain full administrator rights over a network and achieve arbitrary code execution. Being fit for work lives up to this vulnerability in terms of criticality with WannaCry and NotPetya as it has the potential to spread without user interaction and spread very quickly.
“Windows DNS Server is an almost ubiquitous platform that often runs on multiple highly sensitive machines within an enterprise network,” said Katie Nickels, director of intelligence for Red Canary, “meaning there could be multiple instances of Windows offering. DNS Server a foothold in any given environment, and those footholds may well offer an attacker a highly privileged level of access. “
What does the CISA emergency directive say?
The 20-03 emergency directive has been signed by Christopher C. Krebs, the director of CISA. Issued on July 16, the directive says that CISA has “determined that this vulnerability represents a significant unacceptable risk to the Federal Civil Executive Branch” and, therefore, “requires immediate and emergency action.” That action is that all endpoints running Windows Server operating systems must be updated.
However, Windows updates become serious when you observe the deadlines set in this emergency policy.
You have 24 hours to comply
Federal agencies that have Windows Server operating the DNS role within the company must apply the Windows Update for July 2020, or the registry modification mitigation solution that Microsoft released, before 2 pm EDT on July 17 . That gives these organizations only 24 hours to comply.
Agencies where Windows Server is used but not for DNS must be updated or mitigated before 2 pm EDT on July 24.
The emergency directive states that the requirements apply to Windows servers in “any information system, including information systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates or maintains agency information. “
While this directive applies only to relevant departments and agencies of the U.S. Executive Branch, CISA strongly recommends that state and local governments follow the advice and update as soon as possible. The same is true, frankly, for the private sector and people running Windows Server.
Lamar Bailey, director of security research and development at Tripwire, said: “CVE-2020-1350 is one of the most serious vulnerabilities revealed this year. It is time to burn midnight oil and repair it as soon as possible.”
.
