The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS) has declared that a Microsoft security vulnerability “poses an unacceptable risk” and “requires an immediate and emergency action.”
The vulnerability was disclosed on August 11, 2020 by Microsoft, which issued a notice about Active Directory and its Microsoft Windows Netlogon Remote Protocol (MS-NRPC). An unauthenticated attacker could use it to obtain domain administrator access and compromise all Active Directory identity services.
The situation became much more urgent when an exploit code for this vulnerability was publicly released.
“Given the nature of the exploit and documented adversary behavior, CISA assumes active exploitation of this vulnerability is occurring in the wild,” CISA said in its announcement.
What was the response?
CISA set a Sept. 21, 2020 deadline for all its executive branch departments and agencies to install Microsoft’s August 2020 Security Updates on all affected servers.
While the agency’s jurisdiction only covers certain federal agencies, CISA strongly recommends that everyone, including the private sector as well as state and local governments, “patch this critical vulnerability as soon as possible.”
What should businesses do?
It is good business and security practice to keep all operating systems and application software up to date, though companies often fall behind, especially when managing multiple systems with limited resources.
For Microsoft systems, administrators should be familiar with “Patch Tuesday,” when the company typically releases updates to its software. The Microsoft Security Resource Center (MSRC) also maintains a Security Update Guide to highlight all updates related to security vulnerabilities.
This particular vulnerability, designated CVE-2020-1472, is clearly a pressing threat, with code widely available to hackers to exploit. Companies should install the August 2020 Security Updates as soon as possible.
The updates will require changes in how companies manage Netlogon secure channel connections. These changes should be reviewed by your information technology system administrators.
What happens next?
Microsoft’s August 2020 Security Updates actually include only the first of a two-phase response to this vulnerability, with the second part expected to be delivered in the first quarter of 2021.
The second phase will cover non-Windows devices using unofficial implementations MS-NRPC. It is delayed to allow the vendors who built them to provide updates.
Once the second phase is in place, Microsoft will enforce protection for all domain-joined devices. This means “your organization risks devices in your environment being denied access when the enforcement phase starts,” the company warns.
How can I keep up with Microsoft updates?
If you wish to be notified when these and other updates are released, Microsoft recommends that you register for its Microsoft Technical Security Notifications mailing list.