The US Department of Homeland Security (DHS) has issued an emergency directive (Emergency Directive 20-04) that orders US federal agencies to patch the Zerologon vulnerability (CVE-2020-1472) by Monday.
The vulnerability in question is a critical elevation of privilege flaw which affects the Netlogon remote protocol, a legacy protocol that is still supported on all Windows servers to allow them to work in domain environment. Named Zerologon, the vulnerability could be used by an attacker with access to a Windows Domain Controller to take over the Windows domain. CVE-2020-1472 impacts systems running Windows Server 2008 R2 and later.
Although the flaw was fixed as part of the August Patch Tuesday, the details about the issue and proof-of-concept exploits started to appear over the past week.
“Applying the update released on August 11 to domain controllers is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network),” CISA said.
Thus, the agency deems the CVE-2020-1472 flaw to be “an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action.”
According to the directive, the government agencies must update all Windows Servers with the domain controller role by Monday, September 21; apply the August 2020 Security Update to all Windows Servers with the domain controller role or remove affected domain controllers from the network if they are cannot be updated; ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected domain controller servers are updated before connecting to agency networks.
Federal agencies must also provide a completion report by September 23, 2020.