The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) issued an emergency directive today instructing all government agencies to deploy patches or mitigations for a critical bug in Windows Server within the next 24 hours.
The emergency directive urges agencies to patch a vulnerability known as SIGRed, discovered by Check Point researchers, for which Microsoft released updates this week, during its regular Patch Tuesday window.
The bug impacts the DNS server component that ships with all Windows Server versions from 2003 to 2019.
SIGRed can be exploited to run malicious code on a Windows Server that has its DNS server component active. The bug is also “wormable,” according to Microsoft’s assessment, meaning it can be abused for self-replicating attacks that spread across the internet or inside organizations.
In a press release today, CISA director Christopher Krebs said the bug is of particular interest to the DHS, the US agency in charge of supervising the security of the US government’s IT networks. He urged federal agencies to patch servers as soon as possible but also asked the private sector to do the same.
CISA cited the likelihood of the SIGRed vulnerability being exploited, the widespread use of the affected software across the federal government network, the high potential for a compromise of agency information systems, and the grave impact of a successful compromise as reasons to push today’s emergency directive, a type of alert that is issued only in rare situations.
The ED 20-03 emergency directive requires agencies to install the Microsoft July 2020 security updates within the next day, by Friday, July 17, 2020, 2:00 pm EDT — if the agencies are running Windows Server instances with a DNS role.
If the security updates cannot be installed, CISA requires agencies to deploy a registry modification workaround detailed in the Microsoft SIGRed (CVE-2020-1350) advisory.
Agencies then have another week to remove the workaround and apply the security update. Servers that can’t be updated should be removed from an agency’s network, CISA said.
At the time of writing, no proof-of-concept code is publicly available for the SIGRed vulnerability, which has delayed the start of active exploitation.
The CVE-2020-1350 vulnerability is one of several vulnerabilities disclosed this month that received a severity score of 10 out of 10 on the CVSSv3 severity scale.
Other similarly dangerous vulnerabilities that are easy to exploit via the internet include bugs in Palo Alto Networks’s PAN-OS operating system, in F5 BIG-IP networking devices, and many SAP cloud applications.