Page tree
Viewable by the world
Skip to end of metadata
Go to start of metadata

IT Spotlight


DHS has issued Emergency Directive 20-03 on this vulnerability which can be viewed here: https://cyber.dhs.gov/ed/20-03/. (Article quoted below for posterity)

Here is a description of the vulnerability:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 (Article quoted below for posterity)

Please note that while the vulnerability only affects servers with DNS services, Cyber is required to report on the patch status today (July 20, 2020) and Thursday (July 23, 2020).

Please patch servers immediately by installing Windows Updates.



If you are not able to patch for some reason, e.g. Windows Server 2012 without ESU, then you can apply the workaround described here. 


https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability


Article Quotes for Posterity

DHS Emergency Directive 20-03


July 16, 2020


Mitigate Windows DNS Server Vulnerability from July 2020 Patch Tuesday


This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 20-03, “Mitigate Windows DNS Server Remote Code Execution Vulnerability from July 2020 Patch Tuesday”. Additionally, see CISA’s blog post.


Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2)


Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3).


Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v)


These directives do not apply to statutorily-defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B).


Background


On July 14, 2020, Microsoft released a software update to mitigate a critical vulnerability in Windows Server operating systems CVE-2020-1350. A remote code execution vulnerability exists in how Windows Server is configured to run the Domain Name System (DNS) Server role. If exploited, the vulnerability could allow an attacker to run arbitrary code in the context of the Local System Account. To exploit the vulnerability, an unauthenticated attacker sends malicious requests to a Windows DNS server.


The Cybersecurity and Infrastructure Security Agency (CISA) is unaware of active exploitation of this vulnerability, but assesses that the underlying vulnerabilities can be quickly reverse engineered from a publicly available patch. Aside from removing affected endpoints from the network, there are two known technical mitigations to this vulnerability:


    1. a software update, and
    2. a registry modification.


CISA has determined that this vulnerability poses unacceptable significant risk to the Federal Civilian Executive Branch and requires an immediate and emergency action. This determination is based on the likelihood of the vulnerability being exploited, the widespread use of the affected software across the Federal enterprise, the high potential for a compromise of agency information systems, and the grave impact of a successful compromise.


CISA requires that agencies apply the security update to all endpoints running Windows Server operating system as soon as possible. A registry modification workaround can help protect an affected Windows DNS server temporarily (until an update can be applied), and it can be implemented without requiring a restart of the server. The registry modification workaround will cause DNS servers to drop response packets that exceed the recommended value without error, and it is possible that some queries may not be answered. The registry modification workaround is compatible with the security update but should be removed once the update is applied to prevent potential future impact that could result from running a nonstandard configuration.


Required Actions


This emergency directive requires the following actions:


    1. Update all endpoints running Windows Server operating systems.

      a. By 2:00 pm EDT, Friday, July 17, 2020, ensure the July 2020 Security Update or registry modification workaround is applied to all Windows Servers running the DNS role.

      b. By 2:00 pm EDT, Friday, July 24, 2020, ensure the July 2020 Security Update is applied to all Windows Servers and, if necessary and applicable, the registry change workaround is removed.

      c. By 2:00 pm EDT, Friday, July 24, 2020, ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.


CISA recommends agencies focus on updating Windows Servers running the DNS role first.


These requirements apply to Windows Servers in any information system, including information systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.


In instances where servers cannot be updated within 7 business days, CISA advises agencies to consider removing them from their networks.


    1. Report information to CISA

      a. By 2:00 pm EST, Monday, July 20, 2020, submit an initial status report using the provided template. This report will include estimated status information related to the agency’s current status and will identify constraints, support needs, and observed challenges.

      b. By 2:00 pm EST, Friday, July 24, 2020, submit a completion report using the provided template. Department-level Chief Information Officers (CIOs) or equivalents must submit completion reports attesting to CISA that the applicable update has been applied to all affected endpoints and providing assurance that newly provisioned or previously disconnected servers will be patched as required by this directive prior to network connection (per Action 1).


CISA Actions


    • CISA will continue to monitor and work with our partners to identify whether this vulnerability is actively being exploited.
    • CISA will provide additional guidance to agencies via the CISA website, through an emergency directive issuance coordination call, and through individual engagements upon request (via CyberDirectives@cisa.dhs.gov).
    • Beginning August 13, 2020, the CISA Director will engage the CIOs and/or Senior Agency Officials for Risk Management (SAORM) of agencies that have not completed required actions, as appropriate and based on a risk-based approach.
    • By September 3, 2020, CISA will provide a report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) identifying cross-agency status and outstanding issues.


Duration


This emergency directive remains in effect until all agencies have applied the July 2020 Security Update or the directive is terminated through other appropriate action.


Microsoft CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability

Security Vulnerability

Published: 07/14/2020 | Last Updated : 07/15/2020
MITRE CVE-2020-1350

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.

The update addresses the vulnerability by modifying how Windows DNS servers handle requests.



As of January 14, 2020 Microsoft stopped support of Windows 7. Computers running Windows 7 will no longer receive security patches. Most machines are able to upgrade to Windows 10, see Windows 7 End of Life and Upgrade to Windows 10. If you are running legacy software or have computers attached to scientific equipment that only work with Windows 7, you must register it with IT or risk being blocked from the network. Windows 7 computers which have not been registered on the Windows 7 Exception Request Form will be blocked after June 30, 2020.


Related links:

On March 12, 2020 Microsoft released a warning to immediately update and reboot Windows systems due to a Microsoft SMBv3 Client/Server Remote Code Execution Vulnerability. Users are advised this is an extremely dangerous vulnerability and MUST be addressed right away.

Users should know that if their systems are not patched appropriately and an attack is launched against this vulnerability, LBNL will temporarily block computers. If this occurs, users will be unable to remote access their computers which could impact users ability to telecommute. IT strongly advises all users to apply patches immediately and REBOOT.

Any questions or concerns can be directed to security@lbl.gov.

Thanks to Windows Server Update Service (WSUS), Windows Reboot Reminders, and BigFix, IT User Support is able to identify vulnerable software running on LBL systems. If you wish to receive proactive communications regarding the health of your computer, you can Download BigFix and install it. If you have further questions about BigFix, please Request Help.

Reminder: always keep your operating system up to date, your applications patched, and your system rebooted at least once a week! Follow IT Best Practices to ensure computer health.

RELATED ARTICLES

Berkeley Lab Cyber Security has discovered bad guys exploiting Apple’s Remote Management service to conduct reflected denial-of-service (DoS) attacks. 

What to do?

In order to protect Berkeley Lab computers from participating in this hostile activity, we require all users to disable Apple Remote Management Service.  To disable this service:

  1. In Apple Menu, select System Preferences
     
  2. Select Sharing
     
  3. Uncheck Remote Management
     

This change will not have any adverse effects for most users and in fact is the Apple default.  You can still use Apple Remote desktop and VNC to connect if you enable "Screen Sharing". If you believe disabling Remote Management will create an adverse situation for you, please contact security@lbl.gov

IT will use BigFix to prompt users to automatically disable the Apple Remote Management Service on all systems running in Active Management Mode. For systems in Passive Management Mode, a BigFix Offer will be provided for users to disable it manually.

              

BigFix can be downloaded from https://go.lbl.gov/DownloadBigFix. For any further inquiries Request Help.

Technical Details



Microsoft has taken a different approach to updating Windows 10, as they release major builds twice a year. Each build will have an end of lifecycle and will cease to be supported as defined by their End of Service date. Users should know that they must regularly commit to updating their Windows 10 operating system or risk cyber threat and/or block.

Microsoft has published the Windows 10 lifecycle fact sheet (https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet), see the table below.

Windows 10 version history

Date of availability

End of service

Windows 10, version 2004May 27, 2020December 14, 2021
Windows 10, version 1909 November 12, 2019May 11, 2021 
Windows 10, version 1903May 21, 2019December 8, 2020
Windows 10, version 1809November 13, 2018November 10, 2020
Windows 10, version 1803April 30, 2018November 12, 2019
Windows 10, version 1709October 17, 2017April 9, 2019
Windows 10, version 1607August 2, 2016April 10, 2018
Windows 10, version 1511July 29, 2015May 9, 2017
Table updated on July 9, 2020.

Thanks to Berkeley Lab BigFix and support from our LBL Active Directory and our Windows Server Update Service (WSUS), we have discovered 43 Windows computers that have not updated their Windows 10, version 1511 operating system. These systems must update immediately. IT User Support will be reaching out to these users in the next week to provide any support needed with their Windows 10 update.

To find out about the your Windows 10 version, see Which Windows operating system am I running? (https://support.microsoft.com/en-us/help/13443/windows-which-operating-system)

Users should be mindful regarding Windows Updates:

  • Backup your system before doing your Windows Update, you can use Druva inSync from our software download page, https://software.lbl.gov/swSoftwareDetails.php?applicationID=184

  • Update files can be big and may take some time to download

  • Once the Update starts to download you can minimize it and continue working

  • When the download is complete it will ask for a reboot, you can pause or reschedule for the end of the day (Note: update will not finish without a reboot)

  • Application of system settings after a Windows Update may require another 15-30 minutes after you reboot and login

Users can request help with updating their Windows 10 system by clicking on the link below.

Remember do not push off updating your computer, update regularly!

REQUEST HELP

RELATED ARTICLES

This project was possible because IT identified affected systems with Berkeley Lab BigFix. To get Berkeley Lab BigFix for your computer, please visit software.lbl.gov.

Choose a topic from the list on the left, or search for a topic.

For more general LBNL information, please use the Lab's Google Custom Search (GCS)  tool or refer to the A-Z index

If you need to contribute to the IT FAQ's and find you do not have permission, contact the Help Desk and ask that you be added to the Commons faq editors group