The Cybersecurity and Infrastructure Security Agency issued an emergency directive calling on agencies to patch their Windows Server operating systems to prevent attackers from completely compromising all Active Directory identity services.
The Cybersecurity and Infrastructure Security Agency issued an emergency directive to agencies on Sept. 18, calling on them to patch all Windows server operating systems by Sept. 21 to prevent unauthenticated attackers with network access to a domain controller to completely compromise all Active Directory identity services.
Those servers that cannot be patched by 11:59 p.m. Eastern Time on Sept. 21 should be unplugged from networks, CISA said, citing the "widespread presence of the affected domain controllers across the federal enterprise" and the "high potential for a compromise of agency information systems."
The vulnerability, Microsoft said in an August notice on the problem, could allow attackers to elevate their domain privileges within the network without authentications, once they get inside.
If an unauthorized attacker gets control of the identity capabilities at one agency, said CISA, the access could be used to compromise other federal networks.
"CISA has determined that this vulnerability poses an unacceptable risk to the federal civilian executive branch and requires an immediate and emergency action," said the directive.
Microsoft issued a patch for the vulnerability on Aug. 11 and said it plans to issue an additional update in the first quarter of 2021. In an accompanying assessment, the company said it had not seen any exploitation of the vulnerability.
After the software upgrade is in place, CIOs must submit a completion report to CISA by Sept. 23 that states the update has been applied to all affected servers and that newly provisioned and disconnected servers will be patched as required before they are connected to the network.
CISA said it is also keeping an eye on compliance through the Continuous Diagnostics and Mitigation program. Agencies can get support from CDM systems integrators in the effort as well, the agency said.
By Oct. 5, CISA wants to be able to provide a detailed report to the secretary of the Department of Homeland Security and the director of the Office of Management and Budget on the status of the upgrade and issues that remain to be resolved.
This article was first posted to FCW, a sibling site to GCN.
NEXT STORY: Challenges of classified BYOD