Government sysadmins have given weekend to fix Zero Logon elevation of privilege bug, rest of us given a stern warning.
The US Cybersecurity and Infrastructure Security Agency (CISA) has taken the unusual step of issuing an emergency directive that gives US government agencies a four-day deadline to implement a Windows Server patch.
The directive, issued on September 18th, demanded that executive agencies to take “immediate and emergency action” to patch CVE-2020-1472, the CVSS-perfect-ten-rated flaw that Dutch security outfit Secura BV said allows attackers to instantly become domain admin by subverting Netlogon cryptography.
This means the bug can “be used to obtain domain admin credentials and then restore the original DC password,” the report said.
“This attack has a huge impact. It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged a device to an on-premise network port) to completely compromise the Windows domain.”
CISA has directed executive agencies to apply the patch by September 21st, as well as strongly urging state and local government agencies, the private sector, and members of the public to update as soon as possible.
“We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary,” the agency warned. CISA issued just two such directives in each of 2018 and 2019. 2020’s status as a year of woe has seen it score four of the emergency warnings.
That the agency feels the need to issue one for this flaw is notable given that simply applying Microsoft’s August patches would have fixed the problem. Yet US government agencies need the firmest possible prod to get it done.