The vulnerability, dubbed “SIGRed,” resides in Windows DNS and can be exploited to allow an attacker to take control of an entire network. Adding to the risk of system takeover is that the vulnerability is also described as being “wormable” in that it can allow an attacker to leverage a targeted server as a distribution point to spread malware between systems without any user interaction.
There are currently no known cases of the vulnerability being exploited, but CISA says its directive is based on the likelihood of the vulnerability being exploited given “the widespread use of the affected software across the federal enterprise, the high potential for a compromise of agency information systems and the grave impact of a successful compromise.”
Federal agencies have been given 24 hours either to install the security update issued by Microsoft or to apply a registry modification workaround to all Windows Servers running the DNS role. Agencies then have a week more, until July 24, to ensure that the security update is applied and, if applicable, that the registry workaround is removed. In the event that agencies are unable to comply, CISA advises that they should consider removing Windows Servers from their networks.
In all cases, civil federal agencies are required to report their efforts to CISA starting with an initial status report by July 20, then a completion report by July 24. The latter is required to come from department-level chief information officers or equivalents.
The emergency directive remains in place until all civil agencies have applied the July 2020 Security Update or if the directive is terminated through other appropriate action. Notably, CISA orders do not apply to the Department of Defense or the intelligence community.
CISA is also urging the private sector along with state and local governments to apply the security updates as well.
“CVE-2020-1350 (SIGRed) is one of the most serious vulnerabilities disclosed this year,” Lamar Baily, director of security research and development at cybersecurity company Tripwire Inc., told SiliconANGLE. “It scores a CVSS score of 10. It is plausible to believe this is currently being exploited in the wild or will be very soon. It is time to burn the midnight oil and get this patched ASAP.”
Katie Nickels, director of intelligence at threat detection firm Red Canary Inc., noted that there’s a confluence of factors that make the exploitation of this vulnerability concerning.
“For one, Microsoft is sounding the alarm that the bug is ‘wormable,’ meaning that malicious code could spread between vulnerable infrastructure without human interaction and suggesting that successful exploitation could lead to widespread compromises,” Nickels explained. “In conjunction with that, Windows DNS Server is a near-ubiquitous platform that often runs on multiple, highly sensitive machines within an enterprise network, meaning that there might be multiple instances of Windows DNS Server offering a foothold in any given environment — and those footholds may well offer an attacker a highly privileged level of access.”
Finally, she said, “the vulnerability affects a wide swath of Windows Server versions, dating back many years in some cases, which could complicate remediation efforts.”