The Department of Homeland Security’s cybersecurity branch has given civilian federal agencies an emergency order to address known vulnerabilities in Microsoft’s Windows operating system.
Tuesday’s emergency directive from the Cybersecurity and Infrastructure Security Agency gives agencies mere days to assess the scope of the vulnerability to its systems, and 10 days to patch or remedy all its affected endpoints.
CISA released the directive the same day Microsoft released a patch to mitigate what CISA called “significant vulnerabilities” in the Windows OS.
“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source,” Microsoft wrote in its security update guidance. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”
The patch addresses vulnerabilities discovered by the National Security Agency that affect Windows’ cryptographic functionality.
“Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities,” the NSA wrote in its cybersecurity advisory.
CISA said it was unaware of “active exploitation” of these known vulnerabilities, but once a patch has been publicly released, “the underlying vulnerabilities can be reverse engineered to create an exploit,” the agency wrote.
Besides pulling affected endpoints off agency networks, the agency warned that the patch is the only known technical mitigation to these vulnerabilities.
“CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action,” the agency wrote in its directive. “This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information.”
By Jan. 17, agencies must submit an initial status report that estimates how many of their endpoints are affected by this vulnerability.
The status report will also give CISA an update on how many endpoints agencies have been patched to-date, and serve as an indication of whether agencies have management controls to ensure that “all provisioned and previously disconnected endpoints have applied the patch before being connected to previously connected endpoints across all components.”
By Jan. 29, chief information officers must submit completion reports that confirm their agencies have patched all their affected endpoints and provide “assurance that newly provisioned or previously disconnected endpoints will be patched as required by this directive prior to network connection.”
Meanwhile, CISA will oversee agency compliance with its directive and ensure that agencies participating in Continuous Diagnostics and Mitigation (CDM) “can leverage the support of their system integrators to assist with this effort, if needed.”
Starting Feb. 3, CISA Director Chris Krebs will reach out to agency CIOs and senior agency officials for risk management that have not yet met the emergency directive’s requirements.
CISA will submit a report by Feb. 14 to acting DHS Secretary Chad Wolfe and acting OMB Director Russ Vought identifying “cross-agency status and outstanding issues.”