Windows Server Update Gets Serious: You Have The Weekend To Comply, Homeland Security Says
Windows security updates should always be taken seriously, of that there is no doubt. But when the U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) issues an emergency directive for a perfect 10, critical, Windows Server vulnerability, the urgency meter goes off the scale.
This is a vulnerability that could enable an attacker with network access to gain admin status by sending a string of zeros using the Windows Netlogon protocol. A vulnerability that, CISA said, must be assumed as being actively exploited in the wild.
Here’s what we know about the Zerologon exploit and what you need to do about it right now.
CISA doesn’t issue emergency directives unless there’s a serious cause for concern. The last time I reported on such a rare directive was back in July when government agencies were given just 24 hours to update, you guessed it, Windows Server.
This time around, they get the whole weekend until midnight on Monday, September 21, to get their patching in order.
CVE-2020-1472 is about as serious as it gets, hence the maximum 10 Common Vulnerability Scoring System (CVSS) rating and the critical severity that Microsoft has attached to it. The vulnerability itself opens the doors for an attacker already inside the network to access the Windows Server Active Directory domain controller.
The good news is that Microsoft has already issued a patch to fix the vulnerability itself in August.
The bad news is that code that demonstrates how to exploit unpatched systems has been released into the public domain.
This post-compromise exploit has been named Zerologon because it requires messages including strategically-placed strings of zeros to be sent using the Netlogon protocol. As long as the attacker can establish a connection with the domain controller on an unpatched system, no authentication is required to elevate privileges to the max and become an ‘instant admin.’
Emergency directive 20-04 requires federal agencies to comply with the “immediate and emergency action” that CISA has determined necessary to mitigate the “unacceptable risk” that the Zerologon exploit poses. That action being to “immediately apply the Windows Server August 2020 security update to all domain controllers,” and do so before September 22.
Call The IT Guys before you regret not doing so!