CISA orders agencies to patch dire Window flaw

The Cybersecurity and Infrastructure Security Agency alerted federal agencies of an authentication flaw in Microsoft server software in need of an immediate fix.

By Oct. 5, CISA wants to be able to provide a detailed report on the status of the upgrade to the secretary of the Department of Homeland Security and the director of the Office of Management and Budget on cross-agency status and issues that remain to be resolved.

 

A serious flaw in Microsoft Windows could leave federal government servers open to hackers and needs to be patched by midnight on Sept. 21, said a warning from the Cybersecurity and Infrastructure Security Agency.

The vulnerability affects core authentication capabilities, CISA warned in an Sept. 18 emergency directive. Failure to patch could permit unauthorized attackers to access and take over domain controllers' identity services.

The warning cites the "widespread presence of the affected domain controllers across the federal enterprise" and the "high potential for a compromise of agency information systems."

The vulnerability, Microsoft said in an August notice on the problem, could allow an attacker to elevate their domain privileges within the network without authentications, once they get inside.

If an unauthorized attacker gets control of the identity capabilities at one agency, said CISA, the access could be used to compromise other federal networks.

"CISA has determined that this vulnerability poses an unacceptable risk to the federal civilian executive branch and requires an immediate and emergency action," said the directive.

Microsoft issued a software upgrade for the server vulnerability on Aug. 11. It said it plans to issue an additional update in the first quarter of 2021. In an accompanying assessment, the company said it had not seen any exploitation of the vulnerability.

CISA's command requires all agencies to update their domain controllers with a patch from Microsoft by 11:59 pm eastern time on Sept. 21. If servers can't be upgraded, they should be unplugged from networks.

After the software upgrade is in place, CISA requires agency CIOs to submit a completion report by Sept. 23 that states the update has been applied to all affected servers and that newly-provisioned and disconnected servers will be patched as required before they are connected to the network.

The agency said it is also keeping an eye on compliance through the Continuous Diagnostics and Mitigation (CDM) program. Agencies can get support from CDM systems integrators in the effort as well, it said.