This emergency directive requires the following actions: This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information. Aside from removing affected endpoints from the network, applying this patch is the only known technical mitigation to these vulnerabilities.ĬISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. Though the Cybersecurity and Infrastructure Security Agency (CISA) is unaware of active exploitation of these vulnerabilities, once a patch has been publicly released, the underlying vulnerabilities can be reverse engineered to create an exploit. The client vulnerability can be exploited by convincing a user to connect to a malicious server. The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. Vulnerabilities in the Windows Remote Desktop client (affecting all supported versions of Windows, including Server) and RDP Gateway Server (affecting Server 2012, 2016, 2019) allow for remote code execution, where arbitrary code could be run freely. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows’ CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection. It bypasses the trust store, allowing unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization, which may deceive users or thwart malware detection methods like anti-virus. The vulnerability in ECC certificate validation affects Windows 10, Server 2016, and Server 2019. Among the vulnerabilities patched were weaknesses in how Windows validates Elliptic Curve Cryptography (ECC) certificates 1 and how Windows handles connection requests in the Remote Desktop Protocol (RDP) server and client. On January 14, 2020, Microsoft released a software patch to mitigate significant vulnerabilities in supported Windows operating systems. These directives do not apply to statutorily-defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. § 655(3).įederal agencies are required to comply with these directives. Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 20-02, “ Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday”.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |