Homeland Security Issues Urgent Windows Security Warning Over Zerologon Exploit
Earlier in the week, we reported on a dangerous exploit with Windows domain controllers called Zerologon
. Now, the Cybersecurity and Infrastructure Security Agency (CISA
), under the Department of Homeland Security direction, is issuing warnings about the exploit and is pushing government agencies to patch the vulnerability over the weekend.
The Zerologon exploit is a way for a nefarious person to escalate privileges within a system and gain access to other systems and files. It takes advantage of the Windows Server Netlogon Remote protocol and authentication to capture session data to escalate the exploit further.
Earlier in August, Microsoft released a patch to mitigate the vulnerability for Windows Server
operating systems. According to CISA, the patch “is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network).” Thus, Homeland Security and CISA have deemed this exploit an “unacceptable risk” to the Federal Civilian Executive Branch and have issued an emergency directive. The emergency directive requires agencies to apply the update to fix the vulnerability immediately.
Although the Emergency Directive only applies to those federal agencies, we strongly recommend that state & local government, the private sector, and the American public also apply this security update as soon as possible. More info: https://t.co/O303PodUon #NetSec 2/2
— Cybersecurity and Infrastructure Security Agency (@CISAgov) September 19, 2020
According to the Homeland Security page, the emergency directive requires all agencies “Update all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21, 2020,” or pull un-updatable systems from the network. By September 23rd, all department-level CIOs must submit a report stating the update is complete to CISA. While the exploit is being patched, CISA will ensure compliance is met across all agencies affected.
This sort of governmental reaction is alarming but not surprising given its scope. The Common Vulnerability Scoring System (CVSS
) has the Zerologon exploit rated at a 10, which is the highest severity rating it could receive. While the government is expediting fixes, companies and organizations should heed the warning of the emergency directive
and update their systems too. This exploit is not something you want to find out about the hard way.