CISA issues emergency warning over critical Windows vulnerability
Cybersecurity and Infrastructure Security Agency (CISA) has taken the extraordinary steps of issuing an emergency alert about a critical vulnerability in Windows.
CISA issued the warning to government departments, saying it "has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action". With Emergency Directive 20-04, the CISA requires agencies to install the August 2020 Security Update to mitigate against a vulnerability in Microsoft Windows Netlogon Remote Protocol.
- Microsoft acknowledges that Windows 10 KB4568831 update is crashing Lenovo ThinkPads
- Microsoft is forcing the new Edge on users with KB4576754 update for Windows 10
- Windows 10 KB4571756 update is causing 'Element not found' errors in Windows Subsystem for Linux 2
The vulnerability affects Windows Server and could allow an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. While the directive obliges Executive Branch agencies to install Microsoft's August 2020 Security Update, CISA's assistant director, Bryan Ware, says:
We strongly urge our partners in State and local government, the private sector, and the American public to apply this security update as soon as possible. If enterprises cannot immediately apply the update, we urge them to remove relevant domain controllers from their networks.
Back in August, Microsoft gave the following explanation of the vulnerability (CVE-2020-1472), which has the maximum CVSS score of 10.0:
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.
The CISA's Emergency Directive 20-04 can be read here.