The Cybersecurity and Infrastructure Security Agency (CISA) has published an Patch by Tonight emergency directive. It requires federal agencies to apply a patch for Windows Netlogon vulnerability. CISA’s Patch by Tonight Emergency Directive follows the discovery of available exploit code for CVE-2020-1472, a critical elevation of privilege vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC).
CISA insists on applying the August 2020 Security update to all Windows Servers with the domain controller role. In case affected domain controllers were unable to get updated, ensure to get them removed from the network.
Additionally, ensure that technical and management controls are in place. Newly provisioned or earlier disconnected domain controller servers should be updated before connecting to agency networks.
CISA’s Patch by Tonight Emergency Directive has to do with Executive Branch agencies. However, CISA still recommends its partners, including the private sector and the American public, to employ this security update.
Critical Netlogon Flaw
Secura researchers dubbed the bug as Zerologon. The reason is, one conducts the attack by adding zero characters in specific Netlogon authentication parameters. The Zerologon has a 10/10 CVSS severity score. It exists when an attacker creates a foothold inside the network. Once an attacker breaks into the network, it is literally game over for the attacked company. It allows an attacker on the local network to entirely compromise the Windows domain.
Microsoft decided to address this issue in a two-part rollout. In August, Microsoft released its August patch Tuesday to quickly fix this specific Zerologon bug. Its complete patch is expected in the first quarter of 2021.
The agency has measured that this vulnerability poses intolerable jeopardy to the Federal Civilian Executive Branch and needs an instant action as per CISA’s Patch by Tonight Emergency Directive. The following are the main reasons for this determination:
- The availability of the exploit code has the very likely potential to exploit any unpatched domain controller.
- A compromise of agency information systems is very likely possible.
- The extensive ubiquity of the affected domain controllers over the federal enterprise.
- The continued availability of the vulnerability for more than thirty days since the update was released.
The Takeaway Lesson from the Event
In the digital transformation era, data security has paramount importance, considering that the value of any business stems from its data collected over the years. Moreover, the data stored in the database contain sensitive information. The breach of such information could result in a nightmare, both for the business and its customers.
Therefore, also in the context of CISA’s Patch by Tonight Emergency Directive, duly identifying data security threats and ensuring a practical incident response plan is the need of an hour. Neglecting data integrity may become an irreversibly disastrous event for any business.