x0000x0000US Department of Homeland SecurityCybersecurity In - PDF document

1 ��U.S. Department of Homel
��U.S. Department of Homeland SecurityCybersecurity & Infrastructure Security AgencyOffice of the DirectoWashington, DC 20528Emergency DirectiveOriginal Release DateSeptemberApplies toAll Federal Executive Branch Departments and AgenciesExcept for he Department of Defense, Central CVE20201472 | NetlogonElevation of Privilege Vulnerabilityhttps://portal.msrc.microsoft.com/enUS/securityguidance/advisory/CVE20201472 �� &#x/Att;¬he; [/;ott;&#xom ];&#x/BBo;&#xx [6;.76;4 5;&#x.089; 33;
.22;Q 5;.79;’ ];&#x/Sub;&#xtype;&#x /Fo;&#xoter;&#x /Ty;&#xpe /;&#xPagi;&#xnati;&#xon 0;&#x/Att;¬he; [/;ott;&#xom ];&#x/BBo;&#xx [6;.76;4 5;&#x.089; 33;
.22;Q 5;.79;’ ];&#x/Sub;&#xtype;&#x /Fo;&#xoter;&#x /Ty;&#xpe /;&#xPagi;&#xnati;&#xon 0; 2 &#x/MCI; 2 ;&#x/MCI; 2 ;• the availability of the exploit code in the wild increasinglikelihood of any upatched domain controller being exploitedthe widespread presenceof the affected domain controllersacross the ederal enterprisethe high potential for a compromise of agency informationsystemsthe graveimpactof a succesful compromise; andthecontinuedpresence of the vulnerability more than 30 days sincethe update releasedCISA requires that agencies immediatelyapply the Windows Server August 2020security update to allomain ontrollerRequired Actionshis emergency directive requires the following actions:Updateall Windows Servers with the omain ontroller role11:59 PM EDTMonday, September , 2020Apply the August 2020 Security Update to all Windows Serverwith the omain ontroller roleaffected domain controllerscannot be updatedensure theyare removed from the networkBy 11:59 PM EDTMonday, September 21, 2020,ensure technical and/or management controls are in placeto ensure newly provisioned previously disconnectedomain ontroller serversare updatedbefore connecting to agency networks.In addition to agencies using their vulnerability scanning tools for this task, CISA recommends that agencies use other meansto confirm that the update has been properly deployed. ese requirementsapply to Windowservers with the Active Directoryomain ontrollerrolein any information system, including information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information. Report information to CISABy 11:59 PM EDTWednesday, September 2, 2020,ubmit ompletion eportusing the provided templateDepartmentlevel Chief Information Officers (CIOs) or equivalents must submitcompletion reports attesting to CISA that the applicable updatebeen applied toall affected servers and providassurance that newly provisioned or previously disconnected serverswill be patchedas required by this directive prior to network connection(per Action CISA ActionsCISA will continue to work with our partners to monitor for active exploitation of this vulnerability. �� &#x/Att;¬he; [/;ott;&#xom ];&#x/BBo;&#xx [6;.76;4 5;&#x.089; 33;
.22;Q 5;.79;’ ];&#x/Sub;&#xtype;&#x /Fo;&#xoter;&#x /Ty;&#xpe /;&#xPagi;&#xnati;&#xon 0;&#x/Att;¬he; [/;ott;&#xom ];&#x/BBo;&#xx [6;.76;4 5;&#x.089; 33;
.22;Q 5;.79;’ ];&#x/Sub;&#xtype;&#x /Fo;&#xoter;&#x /Ty;&#xpe /;&#xPagi;&#xnati;&#xon 0; 3 &#x/MCI; 2 ;&#x/MCI; 2 ;• CISA will review and validate agency compliance and ensure that agencies participating in Continuous Diagnostic and

2 Mitigation (CDM) programcan leverage th
Mitigation (CDM) programcan leverage the support of their CDM system integrators (SIs) to assist with this effort, if needed. If agencies want to enlist the help of their CDM SIs, please notify your CDM Portfolio Team.CISAwill provide additional guidance to agencies viathe CISA website, through an emergency irective issuance coordination call, and throughindividual engagements uponrequest (viaCyberDirectives@cisa.dhs.govBeginning October 12020the CISA Director will engage the CIOs and/or Senior Agency Officials for Risk Management (SAORM) of agencies that have not completed required actions, as appropriateand based on a riskbased approachBy October 5, 2020, CISA will provide a report to the Secretary of Homeland Security and the Director of Office of Management and Budget (OMB) identifying crossagency status and outstanding issues.DurationThis emergency directive remains in effect until all agencies have applied the August2020 Security Update (or other superseding updates) or the directive isterminated through other appropriate action. Additional InformationVisit https://cyber.dhs.gov or contact the followingfor General information, assistance, andreporting CyberDirectives@cisa.dhs.gov Reporing indications of potential compromiseCentral@cisa.dhs.gov Attachment Emergency DirectiveAgencyReportTemplate ��U.S. Department of Homeland Security Cybersecurity & Infrastructure Security AgencyOffice of the Director Washington, DC 20528 Emergency Directive-04 Original Release DateSeptember, Applies toAll Federal Executive Branch Departments and Agencies, Except for he Department of Defense, Central Intelligence Agency, and Office of the Director of National Intelligence______________________________________________________________________________ FROM:Christopher C. KrebsDirector, Cybersecurity and Infrastructure Security AgencyDepartment of Homeland Security ussell Vought Director, Office of Management and Budget BJECT: MitigateNetlogon Elevation of Privilege Vulnerabilityfrom AugustPatchTuesday______________________________________________________________________________Section 3553(h) of title 44, U.S. Codeauthorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability,or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2). Section 2205(3)of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. §655(3). Federal agencies are required to comply with these directives.44 U.S.C. § 3554 (a)(1)(B)(v).These directives do not apply to statutorilydefined “national security ystems” nor tosystems operated by the Department of Defense or the Intelligence Community44 U.S.C. § (d), (e)(2), (e)(3), (h)(1)(B). BackgroundOn August 11, 2020, Microsoftreleased a software updateto mitigatecriticalvulnerability WindowsServer operating systems (CVE). Thevulnerability in Microsoft Windows NetlogonRemote Protocol (MSNRPC), a core authentication compone

3 nt of Active Directorycouldallowan unaut
nt of Active Directorycouldallowan unauthenticated attackerwith network access to a domain controllerto completely compromise all Active Directory identity services. pplyingthe update released on August 11 domain ontrollers is currently the only mitigation to thisvulnerabili (aside from removing affected omain ontrollersfrom the network). CISA has determined that this vulnerability poses an unacceptable risk to theFederal Civilian Executive Branchand requires an immediate and emergency action. This determination is based onthe following: CVE20201472 | NetlogonElevation of Privilege Vulnerabilityhttps://portal.msrc.microsoft.com/enUS/securityguidance/advisory/CVE20201472 ��3 ISA will review and validate agency compliance and ensure that agencies participating inContinuous Diagnostic and Mitigation (CDM) programcan leverage the support of their CDMsystem integrators (SIs) to assist with this effort, if needed. If agencies want to enlist the help oftheir CDM SIs, please notify your CDM Portfolio Team.CISA will provide additional guidance to agencies viathe CISA website, through an emergencyirective issuance coordination call, and throughindividual engagements uponrequest (viaCyberDirectives@cisa.dhs.govBeginning October 1, 2020, the CISA Director will engage the CIOs and/or Senior AgencyOfficials for Risk Management (SAORM) of agencies that have not completed required actions,as appropriateand based on a riskbased approachOctober 5, 2020, CISA will provide a report to the Secretary of Homeland Security and theDirector of Office of Management and Budget (OMB) identifying crossagency status andoutstanding issues.DurationThis emergency directive remains in effect until all agencies have applied the August2020 Security Update (or other superseding updates) or the directive isterminated through other appropriate action. Additional InformationVisit https://cyber.dhs.gov or contact the followingfor General information, assistance, and reporting – CyberDirectives@cisa.dhs.govReporting indications of potential compromise – Attachments: Emergency Directive-04 Agency Report Template ��3 CISA will review and validate agency compliance and ensure that agencies participating inContinuous Diagnostic and Mitigation (CDM) programcan leverage the support of their CDMsystem integrators (SIs) to assist with this effort, if needed. If agencies want to enlist the help oftheir CDM SIs, please notify your CDM Portfolio Team.CISA will provide additional guidance to agencies viathe CISA website, through an emergencyirective issuance coordination call, and throughindividual engagements uponrequest (viaCyberDirectives@cisa.dhs.govBeginning October 1, 2020, the CISA Director will engage the CIOs and/or Senior AgencyOfficials for Risk Management (SAORM) of agencies that have not completed required actions,as appropriateand based on a riskbased approachBy October 5, 2020, CISA will provide a report to the Secretary of Homeland Security and theDirector of Office of Management and Budget (OMB) identifying crossagency status andoutstanding issues.DurationThis emergency directive remains in effect until all agencies have applied the August2020 Security Update (or other superseding updates) or the directive isterminated through other appropriate action. Additional InformationVisit https://cyber.dhs.gov or contact the followingfor General information, assistance, and reporting – CyberDirectives@cisa.dhs.govReporting indications of potential compromise – Attachments: Emergency Directive-04 Agency Report Template