CISA Orders Immediate Action to Fix Vulnerability in Windows Directory


The agency has seen code designed to exploit the vulnerability in a system used to permit access to network resources.

The Cybersecurity and Infrastructure Security Agency said code is publicly available to exploit a vulnerability disclosed more than a month ago in a Microsoft system widely used across the federal enterprise and issued an emergency directive over the weekend with actions required by the end of the day.

“Update all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21, 2020,” reads the directive the agency released Friday evening. 

Domain controllers are computers that store user account information and validate credentials before allowing host access based on the domain’s security policy. Microsoft released an update to fix a critical vulnerability in its related directory service on Aug. 11. Not applying it could have dire consequences, CISA warned.

“The vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory, could allow an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services,” according to the advisory.

If for some reason the vulnerability can’t be patched immediately, CISA is requiring agencies to remove affected domain controllers from the network. CISA suggests using scanning tools, as well as other methods to confirm proper deployment of the update, including by entities operating on an agency’s behalf.

Chief information officers or their department-level equivalents must report their status completing the directive to CISA by 11:59 PM on Wednesday. CIOs and/or senior agency officials for risk management of agencies who haven’t completed the required actions can expect to hear from the CISA director beginning Oct. 1. And by Oct. 5, CISA intends to report outstanding issues to the secretary of the Department of Homeland Security and the director of the Office of Management and Budget. 

“We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary,” CISA Assistant Director Bryan Ware said in a blog post Friday. He added that investments in CISA’s Continuous Diagnostics and Mitigation program “will pay dividends as it will help federal agencies with mature implementation to identify where unpatched servers reside and track patching progress.”

CISA asks that agencies participating in CDM reach out to the program’s portfolio team if they want help from system integrators. 

“The availability of the exploit code in the wild” and “the grave impact of a successful compromise” are among the reasons CISA gave for its determination that the vulnerability poses an unacceptable risk to the federal civilian executive branch. The agency is also urging state and local governments and the private sector to apply the update as soon as possible.