CISA Gives Agencies 24 Hours to Mitigate Windows DNS Server Vulnerability 

shin sang eun/

The agency issued an emergency directive for just the third time ever.

The race is on. Microsoft has released a software update to Windows server operating systems that must be implemented as soon as possible, an emergency directive from the Cybersecurity and Infrastructure Security Agency stated.

The update, released on July 14, a “Patch Tuesday,” addresses a vulnerability that could give unauthorized users the ability “to run arbitrary code in the context of the Local System Account” by sending malicious requests to a Windows DNS server. 

The directive instructs agencies to at least apply a “workaround” if they need to buy time but to do it by 2 p.m. Eastern Standard Time on July 17.  CISA requires an initial status report Mon., July 20 and a completion report due Fri., July 24.

“CISA has determined that this vulnerability poses unacceptable significant risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” the directive reads. “This determination is based on the likelihood of the vulnerability being exploited, the widespread use of the affected software across the Federal enterprise, the high potential for a compromise of agency information systems, and the grave impact of a successful compromise.”

In a blog post on the directive, CISA Director Christopher Krebs noted this is only the third time “I have found it urgent enough to take this type of action and issue an Emergency Directive.” 

According to the directive, it’s possible for malicious actors to reverse engineer a publicly available patch to expose underlying vulnerabilities. The technical ways to mitigate the vulnerability are via software update, or registry modification. 

The registry modification is the workaround that must be completed Friday, if patching isn’t possible within 24 hours.

But “CISA requires that agencies apply the security update to all endpoints running Windows Server operating system as soon as possible,” the directive states.

By 2 p.m. on July 24, agencies must “ensure the July 2020 Security Update is applied to all Windows Servers and, if necessary and applicable, the registry change workaround is removed.”

CISA notes the registry modification workaround is compatible with the security update but stresses agencies should remove it once they’ve applied the update “to prevent potential future impact that could result from running a nonstandard configuration.” 

CISA recommended removing from networks servers that can’t be patched within seven business days. 

“If you have Windows Servers running DNS, you should patch now,” Krebs said “Don’t wait on this one.”