The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

CISA Asks Federal Agencies to Patch 'Zerologon' Vulnerability ASAP

by Chris Brook on Wednesday September 23, 2020

Contact Us
Free Demo
Chat

In a rare emergency directive, CISA asked all federal agencies to immediately deploy last month's Windows Security Update to remediate a critical vulnerability in Netlogon.

The Department of Homeland Security is again is reiterating the severity of a vulnerability recently disclosed in Microsoft Windows Netlogon Remote Protocol that could let an attacker with network access completely compromise all Active Directory identity services.

The vulnerability, a privilege escalation flaw that received a 10 out of 10 score on the Common Vulnerability Scoring System (CVSS) v3.0 vulnerability severity scale, was first patched back in August but flew under the radar of many until last week, when Secura, a Dutch security firm, published a paper outlining the vulnerability. Exploit code for the flaw was posted online shortly thereafter.

On Friday, a week after Secura's disclosure, the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal agencies - if they haven't already - to update any Windows Servers with the domain controller role with the patch by 11:59 PM EDT tonight. If any controllers can’t be updated, CISA is asking admins to remove them from the network.

The agency is also asking federal agencies to make sure that mitigations are in place to ensure that domain controller servers are updated before connecting them to agency networks.

“In addition to agencies using their vulnerability scanning tools for this task, CISA recommends that agencies use other means to confirm that the update has been properly deployed,” the agency writes, “These requirements apply to Windows Servers with the Active Directory domain controller role in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.”

The second part of CISA's directive requires Department-level Chief Information Officers (CIOs) of agencies to submit a completion report acknowledging that the vulnerability has been patched. The report asks organizations how many Windows Servers with the Active Directory Domain Controller role the organization is currently overseeing, how many are patched, how many are removed from the network, and how many are unsupported, or end of life, but still on the network.

CISA also wants to make sure each organization has technical controls in place to ensure that any new or previously disconnected domain controllers have the August update before they’re connected again; it also wants to know if organizations ran into any issues patching the flaw.

It’s the fourth Emergency Directive issued by CISA since the agency’s inception and the third so far this year. The other two, for those keeping track, also involved vulnerabilities in Windows operating systems; one that addressed weaknesses in how Windows validates Elliptic Curve Cryptography (ECC) certificates and how Windows handles connection requests in the Remote Desktop Protocol (RDP) server and client and another that resolved a remote code execution vulnerability in how Windows Server runs the DNS Server role.

Tags: Vulnerabilities

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.