Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Government Security United States Windows

Feds Issue Emergency Order For Agencies To Patch Critical Windows Flaw (arstechnica.com) 61

The US Department of Homeland Security is giving federal agencies until midnight on Tuesday to patch a critical Windows vulnerability that can make it easy for attackers to become all-powerful administrators with free rein to create accounts, infect an entire network with malware, and carry out similarly disastrous actions. Ars Technica reports: Zerologon, as researchers have dubbed the vulnerability, allows malicious hackers to instantly gain unauthorized control of the Active Directory. An Active Directory stores data relating to users and computers that are authorized to use email, file sharing, and other sensitive services inside large organizations. Zerologon is tracked as CVE-2020-1472. Microsoft published a patch last Tuesday. The flaw, which is present in all supported Windows server versions, carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System. Further raising that stakes was the release by multiple researchers of proof-of-concept exploit code that could provide a roadmap for malicious hackers to create working attacks.

Officials with the Cybersecurity and Infrastructure Security Agency, which belongs to the DHS, issued an emergency directive on Friday that warned of the potentially severe consequences for organizations that don't patch. [The agency's statement can be found in the article.] CISA, which has authorization to issue emergency directives intended to mitigate known or suspected security threats, is giving organizations until 11:59pm EDT on Monday to either install a Microsoft patch or disconnect the vulnerable domain controller from the organization network. No later than 11:59pm EDT on Wednesday, agencies are to submit a completion report attesting the update has been applied to all affected servers or provide assurance that newly provisioned or previously disconnected servers will be patched.

This discussion has been archived. No new comments can be posted.

Feds Issue Emergency Order For Agencies To Patch Critical Windows Flaw

Comments Filter:
  • Or at least a consumer version of the OS. Surely they should have a special hardened version of either windows or linux that they've vetted the code of? Ok that might not catch every flaw but it should catch quite a few.

    • by Z00L00K ( 682162 ) on Tuesday September 22, 2020 @05:14AM (#60530938) Homepage Journal

      Everyone uses M$ for the users. The era of X terminals and vanilla terminals ended some time in the 90's.

    • by azcoyote ( 1101073 ) on Tuesday September 22, 2020 @05:18AM (#60530942)
      While on the one hand it does make sense that a more targeted OS, made specifically for a government, would have fewer flaws because it has to please fewer people, on the other this would require a government to have the programming talent to build and maintain the code. The government then would have to competitively pay for good talent and allow them to work without dealing with frivolous demands, infighting, and overall stupidity. On top of that, government agencies sometimes do use in-house programs, and these would have to be adapted to run on this government-specific OS without introducing more bugs and vulnerabilities. If a government could pull this off, it would be great. But in actuality, the tragedy of bureaucracy makes it so that such an OS would likely be more vulnerable, not less.
      • by gtall ( 79522 )

        Ditto. Not only that, a gov. OS would be susceptible to political interference. A virus like the alleged president would find a way to screw his enemies using it.

        • Re: (Score:1, Interesting)

          by Anonymous Coward

          Indeed. They'll use the FBI to spy on political rival's campaign, falsely accuse numerous people of crimes on flimsy evidence using a secret court with no accountability, use the tax authorities to harass non-profit entities that don't think the correct thoughts, etc. Obama seems to have left a veritable idiot-proof cookbook to follow.

    • by fuzzyfuzzyfungus ( 1223518 ) on Tuesday September 22, 2020 @05:46AM (#60530962) Journal
      The feds certainly have access to much or all of the code via GSP [microsoft.com]; if they aren't using it it would be down to sheer apathy rather than lack of access.

      As for 'special hardened version', if there is actually a distinct fed fork that's more hardened than the normal enterprise version in some way it's very quiet; but I think that's mostly because Microsoft sees limited value in maintaining a whole separate variant rather than just some settings that you can toggle if desired. Most obvious example is FIPS mode [microsoft.com], which is off by default and not recommended for general compatibility with your random commercial/LOB stuff; but can just be toggled on if you need FIPS compliance. The 'Security Baselines' and NIST and NSA guidance provide a long list of other security toggles that you can play with but which are off by default for compatibility purposes.

      Assuming a given agency is making aggressive use of those it will, in practice, be running something that's harder in a variety of ways than stock windows; but not something that's a totally different product.
    • by Anonymous Coward

      Trusted Computer System Evaluation Criteria(TCSEC): https://www.cs.clemson.edu/cou... [clemson.edu]
      Assessing Controlled Access Protection: https://apps.dtic.mil/dtic/tr/... [dtic.mil]
      NT4 awarded E3/F-C2 security classification: https://slashdot.org/story/99/... [slashdot.org]
      Solaris C2 Auditing with BSM: https://www.sans.org/reading-r... [sans.org]

    • by Zocalo ( 252965 )
      If they're competent, then they're not really running a "consumer" version of the OS. Firstly, I'd expect many of the more critical installations to be running Enterprise versions of Windows, with only the required components and reasonable GPOs, etc. in place, which can significantly reduce the potential attack surface compared to a typical Windows 10 Pro/Home installation. Additionally, there are hardening standards for Windows 10 and Server (amongst many other things) that are pretty thorough. They're
      • That's true, but doesn't solve the, "hard and crunchy on the outside and soft and chewy on the inside" problem. Vulnerabilities (e.g., active directory related) can have outsized, negative effects on (more or less) homogeneous Windows-based networks. Once you reach a vulnerable service, a Windows computer is a Windows computer. A couple of vulnerabilities/exploits can go a long way.

        • by malkavian ( 9512 )

          That's why you have network based IDS/IPS. That'll have a fair shot at detection of a lot of things. And if you really play with Windows to harden it (in the same way that configuring Linux hardens it from stock release), it's pretty tight.
          If you've got past all that kind of security, and found your zero day works, then it doesn't matter which platform you targeted to compromise; either Windows or Linux would fall.

      • > If they're competent,

        They're not.

      • Zocalo, Almost all Federal agencies do indeed use Enterprise Windows with "locked-down" group policies. But as you must know, that doesn't keep workstations safe from the many many vulnerabilities that are constantly being discovered. The question raised earlier is quite relevant: Why does the government use such a vulnerable operating system when there are safer alternatives? The answer is that the government is so in bed with Microsoft that they couldn't get out if they wanted to. (And apparently they don

        • by malkavian ( 9512 )

          Security is the eternal playoff against usability. Linux has the same issues. So does Apple.
          If someone is willing to spend the time to target you and find that special zero day flaw that'll get through your defenses, you're toast.
          Yes, Government could get out of Microsoft applications if it wanted to; there's just no technically pressing reason to do so, and an awful lot of expense on re-training, re-architecting and re-developing a whole load of things.
          At this point in time, it's simply not worth the cos

    • by Megane ( 129182 )

      Hardened Windows? The last time they did that, it was back in the NT days. Step 1 was "remove all network connections". It's hard to harden an OS that constantly forces *all* updates all the time, not just security patches.

      The only proper fix for WIndows is the old "3 R's"... Reboot, Reinstall, Red Hat. (not endorsing RH, that was just the meme here 15+ years ago.)

    • For the same reason that many large companies use Microsoft products for network management, Domain Controllers and Active Directory make it easy to manage large numbers of Windows user computers. Every Patch Tuesday, MS releases patches that admins need to apply to hundreds or perhaps thousands of computers. This occurs every other Tuesday like clockwork. Occasionally, MS releases out of cycle security related patches that need to be applied before blackhats RE that patch, id the vulnerability, and create

    • by 1s44c ( 552956 )

      Snowdon got NSA documentation because they stored it on Active Directory managed windows machines. Government IT has issues, to put it mildly.

      As to a hardened version of windows - that's caused turd polishing.

      • As do most/all large organizations. Isn't there other stories here about other major IT issues? I see Boeing and Activision right now. It's not just a GOV problem.
        • by 1s44c ( 552956 )

          I agree totally, many places have IT mismanagement problems. But the information the NSA collects is literally used for killing people, funding revolutionary/terrorist groups who kill people, and sometimes full on invasions. The NSA should be orders of magnitude more careful than Boeing.

    • Because CPUs and hardware manufacturers work closely with MS to support it as soon as the devices hit the market. Try to solve the typical corporation software need with Chromebooks.....
    • There are special versions and special configurations that essentially harden, least privilege and/or create bastion hosts and isolated AD domains. The question is did the administrators design and implement such systems? Not likely.

    • Many businesses and government departments want an email/scheduling system that's tightly integrated and that sucks them in to an Outlook/Exchange paradigm and licensing that basically comes with Office so they use it too.

      Google has a weak competitor but even more businesses don't trust Google.

      Why haven't these disparate countries come together to build a great open source replacement? I get that Munich had fistfulls of money thrown at them but that can only happen so many times.

      We all know that Libreoffic

    • Because they wanted a small government, small enough to drown in a bathtub. A government that has to code its own stuff is not small, that job is better left to the private sector. /s

  • There are people that are always waiting for such an opportunity.
    • the USA is already circling the drain, look at what crap we have for POTUS and the choice for the next election, i doubt the USA remains relevant for much longer, the USA is already in decline and i expect it to be just another backwater has-been nation soon like Greece, Italy (Rome), England (British Empire) or Russia (USSR) are, all great empires eventually go corrupt and lose thier greatness, now is the time to laugh at trump and tell him so much for making america great again and you're fired
  • I remember when the US Government use to ignore computer security issues because it would require money to fix it. The proper response would have been to
      (do not pass go) require all computers to be shut down until they can show they are reasonably protected. The government and businesses should not run computers unless they are paying for active security reviews and have immediate response.

  • by kaur ( 1948056 ) on Tuesday September 22, 2020 @06:45AM (#60531036)

    Every country in the world is going through the same excercise right now, but they have some extra questions:
    Why do we use a consumer OS built by an US company?
    Can we trust USA to be our ally and not abuse its power over Microsoft?
    Can we trust USA to stay our ally in the forseeable future (which is approx 5-10 years in the tech world)?
    What additional controls should we use and place on Windows for the risk to be manageable?
    Should we switch?
    To what?

    These questions are mostly rhetorical in the Western countries, say Germany. Everybody keeps using Windows, BSI enrolls on Microsoft Government Security Program (GSP, https://www.microsoft.com/en-u... [microsoft.com]), federal agencies (Germany is a federal country much like USA) keep some of the their stuff away from Azure, Microsoft builds some new data centres into Frankfurt to be compliant with German rules.
    But imagine the same discussions happening in Arab countries.. or India.. or Russia...

    • Interesting you specifically called out Germany. Munich is once again going back to Linux. The only major government agency I am aware of using Linux. China I think also is a big user at the government level of Linux. And I suspect China if it has not already will move completely off windows.
      • by kaur ( 1948056 )

        Interesting you specifically called out Germany.

        I chose Germany as this is one of the few countries that has both the will and technical expertise to dig into Microsoft's code and architecture. But even THEY are hopelessly entrenched in Microsoft. The only action they have taken /AFAIK/ has been to take some data centres over and run them in Germany by German agencies (ie, Deutche Telekom).

        If even Germany sees no hope - then what does this spell it for the rest of us?

  • by jeffasselin ( 566598 ) <<cormacolinde> <at> <gmail.com>> on Tuesday September 22, 2020 @07:06AM (#60531070) Journal

    The patch was released last month with the august cumulative updates, in fact. The details of the vulnerability and exploit code only came out last week, but anyone who read the advisory back then knew this was a bad one.

  • by v1 ( 525388 ) on Tuesday September 22, 2020 @07:07AM (#60531076) Homepage Journal

    it looks like the CVE was initially released on August 11? "CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability Published: 08/11/2020 "

    Funny they're just NOW in a hurry to patch a severity-10 that's been out now for six weeks???

    "Now that we've given all the state actors plenty of time to get back doors installed in our network, lets go ahead and make sure we get that patch on!"

    Granted, it took Microsoft until last Tuesday to publilsh a patch, but any competent admin would have looked at that and said "that goes on NOW" and has already closed that barn door. Sure, tell the idiots to get it done immediately, then review the "completion reports" and fire everyone that waited until they were ordered to patch their servers, and hire competent replacements.

    (and why'd it take MS so long to patch a 10 anyway?)

    • Not easy to quietly install a back door with this vulnerability. Most orgs would notice if one of their domain controllers suddenly stopped working, and investigate. This is more likely to be used for a smash and grab type of attack where the attacker wants to do a quick exfiltration.
      • by Bert64 ( 520050 )

        It changes the password, but once you have access you can change it back... One domain controller (you have several right?) would be out of action for a few seconds, could easily go unnoticed if it happened late at night.

        • by HiThere ( 15173 )

          After it's changed the password, do you KNOW what the prior password was? That's worse than I thought, you should only have been able to determine it's hashed value, if that. I suppose you could reinsert the hash, but then you're locked out again. (Well, except for the malware you installed while it was open.)

          • by Bert64 ( 520050 )

            You can extract the previous password hash from the password history, then you can put the old hash back. There are instructions for this online now:

            https://github.com/risksense/z... [github.com]

            Exploit this, login and dump ALL hashes including history, use the history to reset the password to what it was, then use any one of the password hashes you just dumped to login again.

        • I don't know of any mechanism in this case to find what the previous password was. Link 'em if you got 'em :)
          • by Bert64 ( 520050 )

            Once you've successfully exploited the system, you can dump out all the password hashes including the password history.

            https://github.com/risksense/z... [github.com]

            Then not only can you set the password hash back to what it was, you can also use any one of the hashes you just dumped to log in, or you can use the krbtgt hash to create a golden ticket etc.

            • by Bert64 ( 520050 )

              There is also lsadump, the password of the machine account will always be stored unhashed on the machine to which it belongs so you could get it from there too.

        • If you had a mechanism to know the current password you wouldn't need to use the change password function.
    • by MatthiasF ( 1853064 ) on Tuesday September 22, 2020 @07:57AM (#60531184)

      Patch was released on August 11, which was a "Patch Tuesday". The vulnerability was told to Microsoft in July according to the researchers. And the vulnerability broadly announced on September 11th.

      This means Microsoft fixed it in approximately a month across thirteen versions of Windows and the researchers gave a month for the patch to make it's way out to the public through Windows Update before publicly publishing their finding.

      The US Department of Homeland Security are just making sure all federal agencies take the issue seriously and double check the patch was applied by a deadline. Other world governments should be doing the same.

      So, Microsoft didn't really take a long time, unless 30 days is too long for you to develop a critical patch and test on all supported platforms.

      This is just the first time most non-sysadmins have heard of the issue.

      • by HiThere ( 15173 )

        Well, 30 days is far too long, but it's also so quick that the patch had better be pretty simple, or the fix may be worse.

        The thing is, a zero-day needs to be patched yesterday. This is, of course, impossible, but that's what's needed. OTOH, code needs to be checked carefully for bugs...and that CAN'T be done quickly except for really simple things with very few edge cases. Now talk about multiple different versions.....

  • If I buy a car and it's poor design injures me I can sue. If we can't sue software makers for injuring us then the law needs to change.
    • But if they make an update to fix a problem, and you just don't install the update, can they be held responsible?

    • by bws111 ( 1216812 )

      Of course you can sue. Winning such a suit is a completely different story. You would have to prove that the software was what caused the actual injury, and not some criminal act by a third party. Can you win a lawsuit against a car manufacturer because a brake line failed and you crashed? Certainly. Can you win a lawsuit against a car manufacturer because someone CUT your brake line and you crashed? Nope.

    • by labnet ( 457441 )

      That’s like saying I have a car and when a thief punches a screwdriver just below the lock while holding the door handle up and rocking the car, the door pops open, thus the car maker blamed for not designing a secure enough car.

  • Patch (Score:5, Funny)

    by StormReaver ( 59959 ) on Tuesday September 22, 2020 @07:32AM (#60531126)

    I've recently come across internal Microsoft documents that contain direct URL's for the patch.

    For Microsoft servers: https://www.debian.org/ [debian.org]
    For Microsoft desktops: https://kubuntu.org/ [kubuntu.org]

    You're welcome.

It is better to live rich than to die rich. -- Samuel Johnson

Working...