Government

CISA orders agencies to quickly patch critical Netlogon bug

CISA has increasingly used its emergency-directive authority to try to keep foreign spies or criminals from burrowing into federal networks

By Sean Lyngaas

September 21, 2020

(U.S. Army Garrison - Miami / Flickr)

For several days, security experts have urged organizations to fix a critical vulnerability in a Microsoft protocol that hackers could use to steal sensitive data. Now, U.S. government agencies don’t have a choice but to act.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency on late Friday evening ordered federal civilian agencies to apply a patch for the vulnerability by the end of the day Monday. The “emergency directive” — only the fourth ever issued by the agency — reflects the “unacceptable risk” the vulnerability poses to federal agencies because the affected software is used throughout the government, officials said.

The bug is the latest in a bevy of critical flaws to emerge in popular software this year. In response, CISA has increasingly used its emergency-directive authority to try to keep foreign spies or criminals from burrowing into federal networks. In July, CISA gave agencies 24 hours to address another critical Windows-related vulnerability.

The latest vulnerability affects the Netlogon protocol that Microsoft employs to authenticate users within a domain. That means a hacker with access to an internal network could exploit the bug to essentially impersonate any user on the network, including the domain controller responsible for handling security requests.

Security experts have warned that complacency is not an option.

Regarding Zerologon: you *must* prioritize patching over detection with this kind of bug.

Once an attacker owns your DC, their persistence options far exceed what even the most advanced organizations can hope to recover from.

An ounce of patching is worth 10 tons of response.

— Andy Robbins (@_wald0) September 19, 2020

Microsoft issued a fix for the flaw in August, but the issue took on greater urgency last week when researchers released a “proof of concept” showing just how easy it is to exploit the bug. More exploits followed, setting off a scramble to patch systems.

“We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary,” said Bryan S. Ware, assistant director for cybersecurity at CISA.

Foreign espionage groups often exploit known vulnerabilities in widely used software to infiltrate targets. Earlier this month, CISA warned that hackers associated with China’s civilian intelligence service, the MSS, were exploiting VPN software to target U.S. government agencies.