CISA gives agencies a day to remedy Windows DNS server vulnerability

Agencies face a quick turnaround to address a known vulnerability in Windows Domain Name System servers.

The Cybersecurity and Infrastructure Security Agency, under an emergency directive, is giving agencies until 2 p.m. Friday, July 17, to apply a patch released Tuesday — or a “temporary registry-based workaround” — for Windows Servers running DNS.

“CISA has determined that this vulnerability poses unacceptable significant risk to the federal civilian executive branch and requires an immediate and emergency action,” the agency wrote in its emergency directive.

CISA issued the emergency directive “based on the likelihood of the vulnerability being exploited, the widespread use of the affected software across the federal enterprise, the high potential for a compromise of agency information systems, and the grave impact of a successful compromise.”

Chris Krebs is the director of CISA at DHS.

CISA Director Chris Krebs wrote in a separate blog post that this marks the third emergency directive he’s approved during his tenure.

In January, CISA required “emergency action” from agencies on Microsoft’s Windows operating system vulnerability, giving them mere days to assess the scope of a vulnerability and 10 days to patch or remedy all affected endpoints.

The Windows DNS servers software update addresses a significant vulnerability where a remote attacker could exploit it to take control of an affected system and run arbitrary code in the context of the Local System Account.

“It is considered a ‘wormable’ vulnerability,” Krebs wrote. “It can run independently and propagate copies to other vulnerable systems — and affects all Windows Server versions that have the DNS role enabled.”

Agency CIOs have until July 24 to submit a completion report to CISA that confirms that the update has been applied to all affected endpoints.

Starting Aug. 13, Krebs will reach out to chief information officers and senior agency officials for risk management at agencies that have yet to meet all the requirements of the emergency directive.

CISA will report to the heads of the Department of Homeland Security and the Office of Management and Budget

By Sept. 3, CISA will provide a report to the secretary of Homeland Security and the director of the Office of Management identifying “cross-agency status and outstanding issues.”

While the emergency directive only applies to federal agencies, Krebs said CISA strongly recommends industry partners, as well as state and local governments, “immediately address” this threat within their own systems.

CISA provides cyber hygiene services to agencies, such as vulnerability scanning, web application scanning, and phishing campaign assessments. It has been able to notify customer agencies who use its services whether they have this Windows Server vulnerability.

Related Stories

    In this Tuesday, Oct. 8, 2019, photo a woman types on a keyboard in New York. Cybersecurity researchers say a coordinated cyberespionage campaign has targeted U.N. relief agencies, the International Red Cross and other non-governmental organizations groups for the past 10 months. The California cybersecurity outfit Lookout says the campaign, which uses phishing to harvest passwords from mobile phones and computers, is still active. (AP Photo/Jenny Kane)

    CISA partners with OMB to stand up vulnerability disclosure policies at civilian agencies

    Read more
    Getty Images/iStockphoto/HYWARDSCISA

    CISA to kick off ‘year of vulnerability management’ with updated threat disclosure policy

    Read more