The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has given all government agencies 24 hours to fix a critical vulnerability in Windows Server.
An emergency directive was issued yesterday instructing agencies to deploy patches or mitigations by 2pm EDT today to resolve the CVE-2020-1350 vulnerability, also known as SIGRed.
The flaw is a remote code execution vulnerability that exists in how Windows Server is configured to run the Domain Name System (DNS) Server role.
An unauthenticated attacker can exploit the vulnerability by sending malicious requests to a Windows DNS server. The attacker could then run arbitrary code in the context of the Local System Account.
According to the emergency directive, "CISA has determined that this vulnerability poses unacceptable significant risk to the Federal Civilian Executive Branch and requires an immediate and emergency action."
A software update to mitigate this critical flaw in Windows Server operating systems was released on July 14 by Microsoft. Now CISA is ordering all government agencies to apply the fix to every Windows Server running the DNS role and to submit an initial status report by 2pm EST on Monday, July 20.
To Lamar Bailey, director of security research and development at Tripwire, the urgency of CISA's directive is understandable.
“CVE-2020-1350 (SIGRed) is one of the most serious vulnerabilities disclosed this year," commented Bailey. "It scores a CVSS score of 10."
CISA said it is "unaware of active exploitation of this vulnerability," but Bailey believes that even if this is the case, the situation could change in the immediate future.
"It is plausible to believe this is currently being exploited in the wild or will be very soon," said Bailey. "It is time to burn the midnight oil and get this patched ASAP.”
CISA's actions come after experts warned of the dangers of SIGRed earlier this week. Gill Langston, head security nerd at SolarWinds MSP, urged administrators to tackle the vulnerability as a "number one priority" after the patch was released on Tuesday.
US government agencies have until 2pm EST on Friday, July 24 to submit a completion report, confirming that the vulnerability has been neutralized.