CISA gives agencies a day to remedy Windows DNS server vulnerability

Agencies face a quick turnaround to address a known vulnerability in Windows Domain Name System servers.

The Cybersecurity and Infrastructure Security Agency, under an emergency directive, is giving agencies until 2 p.m. Friday, July 17, to apply a patch released Tuesday — or a “temporary registry-based workaround” — for Windows Servers running DNS.

“CISA has determined that this vulnerability poses unacceptable significant risk to the federal civilian executive branch and requires an immediate and emergency action,” the agency wrote in its emergency directive.

CISA issued the emergency directive “based on the likelihood of the vulnerability being exploited, the widespread use of the affected software across the federal enterprise, the high potential for a compromise of agency information systems, and the grave impact of a successful compromise.”

Chris Krebs is the director of CISA at DHS.

CISA Director Chris Krebs wrote in a separate blog post that this marks the third emergency directive he’s approved during his tenure.

In January, CISA required “emergency action” from agencies on Microsoft’s Windows operating system vulnerability, giving them mere days to assess the scope of a vulnerability and 10 days to patch or remedy all affected endpoints.

The Windows DNS servers software update addresses a significant vulnerability where a remote attacker could exploit it to take control of an affected system and run arbitrary code in the context of the Local System Account.

“It is considered a ‘wormable’ vulnerability,” Krebs wrote. “It can run independently and propagate copies to other vulnerable systems — and affects all Windows Server versions that have the DNS role enabled.”

Agency CIOs have until July 24 to submit a completion report to CISA that confirms that the update has been applied to all affected endpoints.

Starting Aug. 13, Krebs will reach out to chief information officers and senior agency officials for risk management at agencies that have yet to meet all the requirements of the emergency directive.

CISA will report to the heads of the Department of Homeland Security and the Office of Management and Budget

By Sept. 3, CISA will provide a report to the secretary of Homeland Security and the director of the Office of Management identifying “cross-agency status and outstanding issues.”

While the emergency directive only applies to federal agencies, Krebs said CISA strongly recommends industry partners, as well as state and local governments, “immediately address” this threat within their own systems.

CISA provides cyber hygiene services to agencies, such as vulnerability scanning, web application scanning, and phishing campaign assessments. It has been able to notify customer agencies who use its services whether they have this Windows Server vulnerability.