CISA releases emergency directive on wormable DNS flaw

The directive orders civilian federal agencies to immediately begin patching a critical Remote Code Execution flaw in Windows DNS servers.

cybersecurity (vs148/

The Cybersecurity and Infrastructure Security Agency has released a new emergency directive ordering federal agencies to patch a critical Remote Code Execution vulnerability in Windows Domain Name System servers.

On July 14, Microsoft announced the vulnerability, which affects versions of Windows Servers between 2003 and 2019. The flaw is wormable – meaning it can jump from computer to computer without human interaction – and was given a vulnerability rating of 10 by the Common Vulnerability Scoring System, the highest possible score.

Two days later, CISA has ordered civilian agencies to take immediate action. While the order stresses that they have yet to see evidence of active exploitation in the wild, CISA said the underlying vulnerabilities can be quickly reverse engineered from the patch that Microsoft made available.

“CISA has determined that this vulnerability poses unacceptable significant risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” the order reads. “This determination is based on the likelihood of the vulnerability being exploited, the widespread use of the affected software across the Federal enterprise, the high potential for a compromise of agency information systems, and the grave impact of a successful compromise.”

The directive orders agencies to update all endpoints running Windows Server, with software updates and registry workarounds in place for servers with DNS roles required by 2 p.m. on July 17. By a week later, all agencies must ensure the patch is applied to all Windows Servers and put in place new technical or management controls. Agencies must also submit a status report to CISA by July 20 and department-level CIOs must submit another report July 24 attesting that the updates have been applied and that unpatched systems will remain disconnected until they’re updated.

Beginning Aug. 13, CISA Director Chris Krebs will begin working with agencies that haven’t completed the work, and by Sept. 3, CISA will submit a report to the secretary of Homeland Security and director of the Office of Management and Budget detailing outstanding work. 

It’s the second emergency directive CISA has issued mandating immediate mitigation of Domain Name System vulnerabilities, after a global DNS hijacking campaign prompted similar action in 2019.