Feds Issue Emergency Order For Agencies To Patch Critical Windows Flaw

The US Department of Homeland Security is giving federal agencies until midnight on Tuesday to patch a critical Windows vulnerability that can make it easy for attackers to become all-powerful administrators with free rein to create accounts, infect an entire network with malware, and carry out similarly disastrous actions. Ars Technica reports: Zerologon, as researchers have dubbed the vulnerability, allows malicious hackers to instantly gain unauthorized control of the Active Directory. An Active Directory stores data relating to users and computers that are authorized to use email, file sharing, and other sensitive services inside large organizations. Zerologon is tracked as CVE-2020-1472. Microsoft published a patch last Tuesday. The flaw, which is present in all supported Windows server versions, carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System. Further raising that stakes was the release by multiple researchers of proof-of-concept exploit code that could provide a roadmap for malicious hackers to create working attacks.

Officials with the Cybersecurity and Infrastructure Security Agency, which belongs to the DHS, issued an emergency directive on Friday that warned of the potentially severe consequences for organizations that don't patch. [The agency's statement can be found in the article.] CISA, which has authorization to issue emergency directives intended to mitigate known or suspected security threats, is giving organizations until 11:59pm EDT on Monday to either install a Microsoft patch or disconnect the vulnerable domain controller from the organization network. No later than 11:59pm EDT on Wednesday, agencies are to submit a completion report attesting the update has been applied to all affected servers or provide assurance that newly provisioned or previously disconnected servers will be patched.

Why do critical gov depts use a consumer OS?

[Viol8]

Or at least a consumer version of the OS. Surely they should have a special hardened version of either windows or linux that they've vetted the code of? Ok that might not catch every flaw but it should catch quite a few.

Re:

[gtall]

Has nothing to do with civil servants. The Fed. Gov. is big but it is not that big. As soon as the Fed. Gov. started throwing that sort of weight around, the conservatives would scream bloody murder for the Gov. being intrusive. The liberals would complain the Gov. was getting in bed with private industry (as Reagan intended).

Re:

[drinkypoo]

Has nothing to do with civil servants. The Fed. Gov. is big but it is not that big. As soon as the Fed. Gov. started throwing that sort of weight around, the conservatives would scream bloody murder for the Gov. being intrusive.

lolwaffles. The Fed. Gov. already throws that kind of weight around. They drug Microsoft into court over anticompetitive practices, then elected not to prosecute after finding that Microsoft under Gates had abused its monopoly position and generally acted in every anticompetitive way possible. But what private deals went on behind the scenes?

The liberals would complain the Gov. was getting in bed with private industry (as Reagan intended).

The government has always been in bed with private industry. Railroads, oil, metal, automakers and the federal highway system... All became the paradigm through complet

Re:

[gtall]

"But what private deals went on behind the scenes?" Well, if you aren't willing to tell us and are merely speaking out of your ass, then STFU.

"The government has always been in bed with private industry. Railroads, oil, metal, automakers and the federal highway system"

This thread was about OSes, I can see where got confused. Two wrongs do not make a right.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[drinkypoo]

You're the guy who thinks that if it walks like a duck, sounds like a duck, and looks like a duck, it must be a fish.

If you can find where I said two wrongs make a right, point to it. But if you aren't willing to tell us and are merely speaking out of your ass, then STFU.

Re: Why do critical gov depts use a consumer OS?

[Z00L00K]

Everyone uses M$ for the users. The era of X terminals and vanilla terminals ended some time in the 90's.

Re:

[1s44c]

Actually, no. Plenty of places use non-windows for end users.

Re:Why do critical gov depts use a consumer OS?

[azcoyote]

While on the one hand it does make sense that a more targeted OS, made specifically for a government, would have fewer flaws because it has to please fewer people, on the other this would require a government to have the programming talent to build and maintain the code. The government then would have to competitively pay for good talent and allow them to work without dealing with frivolous demands, infighting, and overall stupidity. On top of that, government agencies sometimes do use in-house programs, and these would have to be adapted to run on this government-specific OS without introducing more bugs and vulnerabilities. If a government could pull this off, it would be great. But in actuality, the tragedy of bureaucracy makes it so that such an OS would likely be more vulnerable, not less.

Re:

[gtall]

Ditto. Not only that, a gov. OS would be susceptible to political interference. A virus like the alleged president would find a way to screw his enemies using it.

Re:

[Anonymous Coward]

Indeed. They'll use the FBI to spy on political rival's campaign, falsely accuse numerous people of crimes on flimsy evidence using a secret court with no accountability, use the tax authorities to harass non-profit entities that don't think the correct thoughts, etc. Obama seems to have left a veritable idiot-proof cookbook to follow.

Re:Why do critical gov depts use a consumer OS?

[fuzzyfuzzyfungus]

The feds certainly have access to much or all of the code via GSP [microsoft.com]; if they aren't using it it would be down to sheer apathy rather than lack of access.

As for 'special hardened version', if there is actually a distinct fed fork that's more hardened than the normal enterprise version in some way it's very quiet; but I think that's mostly because Microsoft sees limited value in maintaining a whole separate variant rather than just some settings that you can toggle if desired. Most obvious example is FIPS mode [microsoft.com], which is off by default and not recommended for general compatibility with your random commercial/LOB stuff; but can just be toggled on if you need FIPS compliance. The 'Security Baselines' and NIST and NSA guidance provide a long list of other security toggles that you can play with but which are off by default for compatibility purposes.

Assuming a given agency is making aggressive use of those it will, in practice, be running something that's harder in a variety of ways than stock windows; but not something that's a totally different product.

Re:

[Anonymous Coward]

Trusted Computer System Evaluation Criteria(TCSEC): https://www.cs.clemson.edu/cou... [clemson.edu]
Assessing Controlled Access Protection: https://apps.dtic.mil/dtic/tr/... [dtic.mil]
NT4 awarded E3/F-C2 security classification: https://slashdot.org/story/99/... [slashdot.org]
Solaris C2 Auditing with BSM: https://www.sans.org/reading-r... [sans.org]

Re:

[Zocalo]

If they're competent, then they're not really running a "consumer" version of the OS. Firstly, I'd expect many of the more critical installations to be running Enterprise versions of Windows, with only the required components and reasonable GPOs, etc. in place, which can significantly reduce the potential attack surface compared to a typical Windows 10 Pro/Home installation. Additionally, there are hardening standards for Windows 10 and Server (amongst many other things) that are pretty thorough. They're

Re: Why do critical gov depts use a consumer OS?

[eatvegetables]

That's true, but doesn't solve the, "hard and crunchy on the outside and soft and chewy on the inside" problem. Vulnerabilities (e.g., active directory related) can have outsized, negative effects on (more or less) homogeneous Windows-based networks. Once you reach a vulnerable service, a Windows computer is a Windows computer. A couple of vulnerabilities/exploits can go a long way.

Re:

[malkavian]

That's why you have network based IDS/IPS. That'll have a fair shot at detection of a lot of things. And if you really play with Windows to harden it (in the same way that configuring Linux hardens it from stock release), it's pretty tight.
If you've got past all that kind of security, and found your zero day works, then it doesn't matter which platform you targeted to compromise; either Windows or Linux would fall.

Re:

[raymorris]

> If they're competent,

They're not.

Re:

[CrankyOldEngineer]

Zocalo, Almost all Federal agencies do indeed use Enterprise Windows with "locked-down" group policies. But as you must know, that doesn't keep workstations safe from the many many vulnerabilities that are constantly being discovered. The question raised earlier is quite relevant: Why does the government use such a vulnerable operating system when there are safer alternatives? The answer is that the government is so in bed with Microsoft that they couldn't get out if they wanted to. (And apparently they don

Re:

[malkavian]

Security is the eternal playoff against usability. Linux has the same issues. So does Apple.
If someone is willing to spend the time to target you and find that special zero day flaw that'll get through your defenses, you're toast.
Yes, Government could get out of Microsoft applications if it wanted to; there's just no technically pressing reason to do so, and an awful lot of expense on re-training, re-architecting and re-developing a whole load of things.
At this point in time, it's simply not worth the cos

Re:

[Megane]

Hardened Windows? The last time they did that, it was back in the NT days. Step 1 was "remove all network connections". It's hard to harden an OS that constantly forces *all* updates all the time, not just security patches.

The only proper fix for WIndows is the old "3 R's"... Reboot, Reinstall, Red Hat. (not endorsing RH, that was just the meme here 15+ years ago.)

Re: Why do critical gov depts use a consumer OS?

[eatvegetables]

For the same reason that many large companies use Microsoft products for network management, Domain Controllers and Active Directory make it easy to manage large numbers of Windows user computers. Every Patch Tuesday, MS releases patches that admins need to apply to hundreds or perhaps thousands of computers. This occurs every other Tuesday like clockwork. Occasionally, MS releases out of cycle security related patches that need to be applied before blackhats RE that patch, id the vulnerability, and create

Re:

[1s44c]

Snowdon got NSA documentation because they stored it on Active Directory managed windows machines. Government IT has issues, to put it mildly.

As to a hardened version of windows - that's caused turd polishing.

Re:

[kenai_alpenglow]

As do most/all large organizations. Isn't there other stories here about other major IT issues? I see Boeing and Activision right now. It's not just a GOV problem.

Re:

[1s44c]

I agree totally, many places have IT mismanagement problems. But the information the NSA collects is literally used for killing people, funding revolutionary/terrorist groups who kill people, and sometimes full on invasions. The NSA should be orders of magnitude more careful than Boeing.

Re: Why do critical gov depts use a consumer OS?

[snemiro]

Because CPUs and hardware manufacturers work closely with MS to support it as soon as the devices hit the market. Try to solve the typical corporation software need with Chromebooks.....

Re:

[matthewmok]

There are special versions and special configurations that essentially harden, least privilege and/or create bastion hosts and isolated AD domains. The question is did the administrators design and implement such systems? Not likely.

Re:

[bill_mcgonigle]

Many businesses and government departments want an email/scheduling system that's tightly integrated and that sucks them in to an Outlook/Exchange paradigm and licensing that basically comes with Office so they use it too.

Google has a weak competitor but even more businesses don't trust Google.

Why haven't these disparate countries come together to build a great open source replacement? I get that Munich had fistfulls of money thrown at them but that can only happen so many times.

We all know that Libreoffic

Re:

[inode_buddha]

Because they wanted a small government, small enough to drown in a bathtub. A government that has to code its own stuff is not small, that job is better left to the private sector. /s

It's probably already too late.

[fox171171]

There are people that are always waiting for such an opportunity.

Re:

[FudRucker]

the USA is already circling the drain, look at what crap we have for POTUS and the choice for the next election, i doubt the USA remains relevant for much longer, the USA is already in decline and i expect it to be just another backwater has-been nation soon like Greece, Italy (Rome), England (British Empire) or Russia (USSR) are, all great empires eventually go corrupt and lose thier greatness, now is the time to laugh at trump and tell him so much for making america great again and you're fired

Re:

[account_deleted]

Comment removed based on user account deletion

Got to give it to Trump

[BlueCoder]

I remember when the US Government use to ignore computer security issues because it would require money to fix it. The proper response would have been to
  (do not pass go) require all computers to be shut down until they can show they are reasonably protected. The government and businesses should not run computers unless they are paying for active security reviews and have immediate response.

Rest of the world...

[kaur]

Every country in the world is going through the same excercise right now, but they have some extra questions:
Why do we use a consumer OS built by an US company?
Can we trust USA to be our ally and not abuse its power over Microsoft?
Can we trust USA to stay our ally in the forseeable future (which is approx 5-10 years in the tech world)?
What additional controls should we use and place on Windows for the risk to be manageable?
Should we switch?
To what?

These questions are mostly rhetorical in the Western countries, say Germany. Everybody keeps using Windows, BSI enrolls on Microsoft Government Security Program (GSP, https://www.microsoft.com/en-u... [microsoft.com]), federal agencies (Germany is a federal country much like USA) keep some of the their stuff away from Azure, Microsoft builds some new data centres into Frankfurt to be compliant with German rules.
But imagine the same discussions happening in Arab countries.. or India.. or Russia...

Re:

[stabiesoft]

Interesting you specifically called out Germany. Munich is once again going back to Linux. The only major government agency I am aware of using Linux. China I think also is a big user at the government level of Linux. And I suspect China if it has not already will move completely off windows.

Re:

[kaur]

Interesting you specifically called out Germany.

I chose Germany as this is one of the few countries that has both the will and technical expertise to dig into Microsoft's code and architecture. But even THEY are hopelessly entrenched in Microsoft. The only action they have taken /AFAIK/ has been to take some data centres over and run them in Germany by German agencies (ie, Deutche Telekom).

If even Germany sees no hope - then what does this spell it for the rest of us?

Patched last month in fact

[jeffasselin]

The patch was released last month with the august cumulative updates, in fact. The details of the vulnerability and exploit code only came out last week, but anyone who read the advisory back then knew this was a bad one.

this WASN'T just announced

[v1]

it looks like the CVE was initially released on August 11? "CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability Published: 08/11/2020 "

Funny they're just NOW in a hurry to patch a severity-10 that's been out now for six weeks???

"Now that we've given all the state actors plenty of time to get back doors installed in our network, lets go ahead and make sure we get that patch on!"

Granted, it took Microsoft until last Tuesday to publilsh a patch, but any competent admin would have looked at that and said "that goes on NOW" and has already closed that barn door. Sure, tell the idiots to get it done immediately, then review the "completion reports" and fire everyone that waited until they were ordered to patch their servers, and hire competent replacements.

(and why'd it take MS so long to patch a 10 anyway?)

Re:

[jbmartin6]

Not easy to quietly install a back door with this vulnerability. Most orgs would notice if one of their domain controllers suddenly stopped working, and investigate. This is more likely to be used for a smash and grab type of attack where the attacker wants to do a quick exfiltration.

Re:

[Bert64]

It changes the password, but once you have access you can change it back... One domain controller (you have several right?) would be out of action for a few seconds, could easily go unnoticed if it happened late at night.

Re:

[HiThere]

After it's changed the password, do you KNOW what the prior password was? That's worse than I thought, you should only have been able to determine it's hashed value, if that. I suppose you could reinsert the hash, but then you're locked out again. (Well, except for the malware you installed while it was open.)

Re:

[Bert64]

You can extract the previous password hash from the password history, then you can put the old hash back. There are instructions for this online now:

https://github.com/risksense/z... [github.com]

Exploit this, login and dump ALL hashes including history, use the history to reset the password to what it was, then use any one of the password hashes you just dumped to login again.

Re:

[jbmartin6]

I don't know of any mechanism in this case to find what the previous password was. Link 'em if you got 'em :)

Re:

[Bert64]

Once you've successfully exploited the system, you can dump out all the password hashes including the password history.

https://github.com/risksense/z... [github.com]

Then not only can you set the password hash back to what it was, you can also use any one of the hashes you just dumped to log in, or you can use the krbtgt hash to create a golden ticket etc.

Re:

[Bert64]

There is also lsadump, the password of the machine account will always be stored unhashed on the machine to which it belongs so you could get it from there too.

Re:

[jbmartin6]

Interesting, thanks for bringing that up.

Re:

[jbmartin6]

If you had a mechanism to know the current password you wouldn't need to use the change password function.

Re:this WASN'T just announced

[MatthiasF]

Patch was released on August 11, which was a "Patch Tuesday". The vulnerability was told to Microsoft in July according to the researchers. And the vulnerability broadly announced on September 11th.

This means Microsoft fixed it in approximately a month across thirteen versions of Windows and the researchers gave a month for the patch to make it's way out to the public through Windows Update before publicly publishing their finding.

The US Department of Homeland Security are just making sure all federal agencies take the issue seriously and double check the patch was applied by a deadline. Other world governments should be doing the same.

So, Microsoft didn't really take a long time, unless 30 days is too long for you to develop a critical patch and test on all supported platforms.

This is just the first time most non-sysadmins have heard of the issue.

Re:

[HiThere]

Well, 30 days is far too long, but it's also so quick that the patch had better be pretty simple, or the fix may be worse.

The thing is, a zero-day needs to be patched yesterday. This is, of course, impossible, but that's what's needed. OTOH, code needs to be checked carefully for bugs...and that CAN'T be done quickly except for really simple things with very few edge cases. Now talk about multiple different versions.....

Sue Microsoft

[AndyKron]

If I buy a car and it's poor design injures me I can sue. If we can't sue software makers for injuring us then the law needs to change.

Re:

[Stormwatch]

But if they make an update to fix a problem, and you just don't install the update, can they be held responsible?

Re:

[bws111]

Of course you can sue. Winning such a suit is a completely different story. You would have to prove that the software was what caused the actual injury, and not some criminal act by a third party. Can you win a lawsuit against a car manufacturer because a brake line failed and you crashed? Certainly. Can you win a lawsuit against a car manufacturer because someone CUT your brake line and you crashed? Nope.

Re:

[labnet]

That’s like saying I have a car and when a thief punches a screwdriver just below the lock while holding the door handle up and rocking the car, the door pops open, thus the car maker blamed for not designing a secure enough car.

Patch

[StormReaver]

I've recently come across internal Microsoft documents that contain direct URL's for the patch.

For Microsoft servers: https://www.debian.org/ [debian.org]
For Microsoft desktops: https://kubuntu.org/ [kubuntu.org]

You're welcome.

Re:

[dysmal]

God damn it!!! I blindly clicked on your links and was confused for a minute.

Well played.

Re: Patch

[AnonymousNoel]

If even Slashdot users blindly click on links, what hope is there for educating the average user.