Skip to main content

CISA Asks Federal Agencies to Patch 'Zerologon' Vulnerability ASAP

by Chris Brook on Wednesday September 23, 2020

Contact Us
Free Demo

In a rare emergency directive, CISA asked all federal agencies to immediately deploy last month's Windows Security Update to remediate a critical vulnerability in Netlogon.

The Department of Homeland Security is again is reiterating the severity of a vulnerability recently disclosed in Microsoft Windows Netlogon Remote Protocol that could let an attacker with network access completely compromise all Active Directory identity services.

The vulnerability, a privilege escalation flaw that received a 10 out of 10 score on the Common Vulnerability Scoring System (CVSS) v3.0 vulnerability severity scale, was first patched back in August but flew under the radar of many until last week, when Secura, a Dutch security firm, published a paper outlining the vulnerability. Exploit code for the flaw was posted online shortly thereafter.

On Friday, a week after Secura's disclosure, the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal agencies - if they haven't already - to update any Windows Servers with the domain controller role with the patch by 11:59 PM EDT tonight. If any controllers can’t be updated, CISA is asking admins to remove them from the network.

The agency is also asking federal agencies to make sure that mitigations are in place to ensure that domain controller servers are updated before connecting them to agency networks.

“In addition to agencies using their vulnerability scanning tools for this task, CISA recommends that agencies use other means to confirm that the update has been properly deployed,” the agency writes, “These requirements apply to Windows Servers with the Active Directory domain controller role in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.”

The second part of CISA's directive requires Department-level Chief Information Officers (CIOs) of agencies to submit a completion report acknowledging that the vulnerability has been patched. The report asks organizations how many Windows Servers with the Active Directory Domain Controller role the organization is currently overseeing, how many are patched, how many are removed from the network, and how many are unsupported, or end of life, but still on the network.

CISA also wants to make sure each organization has technical controls in place to ensure that any new or previously disconnected domain controllers have the August update before they’re connected again; it also wants to know if organizations ran into any issues patching the flaw.

It’s the fourth Emergency Directive issued by CISA since the agency’s inception and the third so far this year. The other two, for those keeping track, also involved vulnerabilities in Windows operating systems; one that addressed weaknesses in how Windows validates Elliptic Curve Cryptography (ECC) certificates and how Windows handles connection requests in the Remote Desktop Protocol (RDP) server and client and another that resolved a remote code execution vulnerability in how Windows Server runs the DNS Server role.

Tags:  Vulnerabilities

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.