Getty Images/iStockphoto

Feds Issue Emergency Directive to Patch Critical DNS Server Flaw

CISA officials stress that while the emergency directive on patching the critical Windows DNS server flaw is aimed at federal agencies, private sector organizations should also take immediate action.

An emergency directive from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency gave federal agencies just 24-hours to apply a patch to a critical, wormable remote code execution (RCE) vulnerability found in some Microsoft Windows DNS servers. 

CISA noted that while the directive to mitigate the flaw was directed to federal agencies and Executive Branch departments, private sector organizations and both state and local governments should also heed warnings to patch, given the severity of the flaw. 

Although this Directive only applies to federal agencies, we strongly recommend that all our partners in private industry and government take the same actions. Remember, we offer Cyber Hygeiene and other free services: https://t.co/FqFmIpJfgN #InfoSec

— Cybersecurity and Infrastructure Security Agency (@CISAgov) July 16, 2020

The CVE-2020-1350 was given the highest severity ranking of 10.0 by CISA. 

“CISA) is unaware of active exploitation of this vulnerability but assesses that the underlying vulnerabilities can be quickly reverse engineered from a publicly available patch,” officials explained. 

First reported as part of Microsoft’s Patch Tuesday list, the vulnerability, known as SIGred, resides in the DNS server role implementation. A hacker can exploit the flaw by triggering a malicious DNS response as it runs in the elevated privileges system. 

The vulnerability exists in Windows Server 2003 versions through to 2019 versions, configured as DNS servers. If successful, the exploit would allow an attacker to run arbitrary code in the context of the Local System Account. 

Further, if the hacker gains rights as a Domain Administrator, they could intercept and manipulate user emails and network traffic, harvest user credentials, change the availability of services, and other malicious activities. 

Check Point researchers, who discovered the vulnerability warned, at the time, that “the likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug.” 

Those concerns were highlighted emergency directive, which stressed the vulnerability poses “unacceptable significant risk” that requires immediate and emergency action. 

“This determination is based on the likelihood of the vulnerability being exploited, the widespread use of the affected software across the Federal enterprise, the high potential for a compromise of agency information systems, and the grave impact of a successful compromise,” officials explained. 

Microsoft previously provided a registry-based workaround for organizations that could not immediately apply the patch when the flaw was reported to the public. However, the emergency directive highlighted issues that the registry modification could cause with DNS response. 

“The registry modification workaround will cause DNS servers to drop response packets that exceed the recommended value without error, and it is possible that some queries may not be answered,” officials warned. 

“The registry modification workaround is compatible with the security update but should be removed once the update is applied to prevent potential future impact that could result from running a nonstandard configuration,” they added. 

As a result, federal organizations were required and private organizations were urged by CISA to update all Windows Server operating systems. 

It’s recommended those organizations first focus on updating Windows Servers currently running the DNS role and including information systems used or operated by another entity that collects, processes, stores, transmits, maintains, or disseminates data from the impacted entity. 

Those organizations still unable to update the impacted servers within the next week should consider removing the servers from their networks. 

Given the number of legacy systems found in healthcare and a host of patch management challenges, organizations in the healthcare sector should heed the latest CISA warnings. Notably, in June, a new malware campaign known as Lucifer was spotted in the wild targeting a host of critical, unpatched Windows vulnerabilities.

Next Steps

Dig Deeper on Cybersecurity strategies