DHS has issued Emergency Directive 20-03 on this vulnerability which can be viewed here: https://cyber.dhs.gov/ed/20-03/. (Article quoted below for posterity)
Here is a description of the vulnerability:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 (Article quoted below for posterity)
Please note that while the vulnerability only affects servers with DNS services, Cyber is required to report on the patch status today (July 20, 2020) and Thursday (July 23, 2020).
Please patch servers immediately by installing Windows Updates.
If you are not able to patch for some reason, e.g. Windows Server 2012 without ESU, then you can apply the workaround described here.
Article Quotes for Posterity
DHS Emergency Directive 20-03
July 16, 2020
Mitigate Windows DNS Server Vulnerability from July 2020 Patch Tuesday
This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 20-03, “Mitigate Windows DNS Server Remote Code Execution Vulnerability from July 2020 Patch Tuesday”. Additionally, see CISA’s blog post.
Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2)
Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3).
Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v)
These directives do not apply to statutorily-defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B).
Background
On July 14, 2020, Microsoft released a software update to mitigate a critical vulnerability in Windows Server operating systems CVE-2020-1350. A remote code execution vulnerability exists in how Windows Server is configured to run the Domain Name System (DNS) Server role. If exploited, the vulnerability could allow an attacker to run arbitrary code in the context of the Local System Account. To exploit the vulnerability, an unauthenticated attacker sends malicious requests to a Windows DNS server.
The Cybersecurity and Infrastructure Security Agency (CISA) is unaware of active exploitation of this vulnerability, but assesses that the underlying vulnerabilities can be quickly reverse engineered from a publicly available patch. Aside from removing affected endpoints from the network, there are two known technical mitigations to this vulnerability:
- a software update, and
- a registry modification.
CISA has determined that this vulnerability poses unacceptable significant risk to the Federal Civilian Executive Branch and requires an immediate and emergency action. This determination is based on the likelihood of the vulnerability being exploited, the widespread use of the affected software across the Federal enterprise, the high potential for a compromise of agency information systems, and the grave impact of a successful compromise.
CISA requires that agencies apply the security update to all endpoints running Windows Server operating system as soon as possible. A registry modification workaround can help protect an affected Windows DNS server temporarily (until an update can be applied), and it can be implemented without requiring a restart of the server. The registry modification workaround will cause DNS servers to drop response packets that exceed the recommended value without error, and it is possible that some queries may not be answered. The registry modification workaround is compatible with the security update but should be removed once the update is applied to prevent potential future impact that could result from running a nonstandard configuration.
Required Actions
This emergency directive requires the following actions:
Update all endpoints running Windows Server operating systems.
a. By 2:00 pm EDT, Friday, July 17, 2020, ensure the July 2020 Security Update or registry modification workaround is applied to all Windows Servers running the DNS role.
b. By 2:00 pm EDT, Friday, July 24, 2020, ensure the July 2020 Security Update is applied to all Windows Servers and, if necessary and applicable, the registry change workaround is removed.
c. By 2:00 pm EDT, Friday, July 24, 2020, ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected servers are updated before connecting to agency networks.
CISA recommends agencies focus on updating Windows Servers running the DNS role first.
These requirements apply to Windows Servers in any information system, including information systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.
In instances where servers cannot be updated within 7 business days, CISA advises agencies to consider removing them from their networks.
Report information to CISA
a. By 2:00 pm EST, Monday, July 20, 2020, submit an initial status report using the provided template. This report will include estimated status information related to the agency’s current status and will identify constraints, support needs, and observed challenges.
b. By 2:00 pm EST, Friday, July 24, 2020, submit a completion report using the provided template. Department-level Chief Information Officers (CIOs) or equivalents must submit completion reports attesting to CISA that the applicable update has been applied to all affected endpoints and providing assurance that newly provisioned or previously disconnected servers will be patched as required by this directive prior to network connection (per Action 1).
CISA Actions
- CISA will continue to monitor and work with our partners to identify whether this vulnerability is actively being exploited.
- CISA will provide additional guidance to agencies via the CISA website, through an emergency directive issuance coordination call, and through individual engagements upon request (via [email protected]).
- Beginning August 13, 2020, the CISA Director will engage the CIOs and/or Senior Agency Officials for Risk Management (SAORM) of agencies that have not completed required actions, as appropriate and based on a risk-based approach.
- By September 3, 2020, CISA will provide a report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) identifying cross-agency status and outstanding issues.
Duration
This emergency directive remains in effect until all agencies have applied the July 2020 Security Update or the directive is terminated through other appropriate action.
Microsoft CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability
Security Vulnerability
Published: 07/14/2020 | Last Updated : 07/15/2020
MITRE CVE-2020-1350
A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.
To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.
The update addresses the vulnerability by modifying how Windows DNS servers handle requests.
As of January 14, 2020 Microsoft stopped support of Windows 7. Computers running Windows 7 will no longer receive security patches. Most machines are able to upgrade to Windows 10, see Windows 7 End of Life and Upgrade to Windows 10. If you are running legacy software or have computers attached to scientific equipment that only work with Windows 7, you must register it with IT or risk being blocked from the network. Windows 7 computers which have not been registered on the Windows 7 Exception Request Form will be blocked after June 30, 2020.
Related links:
On March 12, 2020 Microsoft released a warning to immediately update and reboot Windows systems due to a Microsoft SMBv3 Client/Server Remote Code Execution Vulnerability. Users are advised this is an extremely dangerous vulnerability and MUST be addressed right away.
Users should know that if their systems are not patched appropriately and an attack is launched against this vulnerability, LBNL will temporarily block computers. If this occurs, users will be unable to remote access their computers which could impact users ability to telecommute. IT strongly advises all users to apply patches immediately and REBOOT.
Any questions or concerns can be directed to [email protected].
Thanks to Windows Server Update Service (WSUS), Windows Reboot Reminders, and BigFix, IT User Support is able to identify vulnerable software running on LBL systems. If you wish to receive proactive communications regarding the health of your computer, you can Download BigFix and install it. If you have further questions about BigFix, please Request Help.
Reminder: always keep your operating system up to date, your applications patched, and your system rebooted at least once a week! Follow IT Best Practices to ensure computer health.
RELATED ARTICLES
Berkeley Lab IT has released Microsoft’s latest updates for Windows 10, which contains patches for multiple critical security vulnerabilities. One of these, CVE-2020-0601, has been identified by the Cyber Security group as a mandatory update. As such, all Windows 10 systems at the Lab MUST be updated, and may be blocked from the network if they are out of compliance.
Most systems have already been updated using the recommended Windows Update settings, but there are still many systems which remain vulnerable. To address these remaining vulnerable systems, Berkeley Lab IT is using BigFix to ensure patches are updated:
If you get a Reboot Reminder from BigFix, it means that Windows is attempting to install updates, and needs to be restarted to complete the process. Your system will remain vulnerable until the reboot is completed.
For systems that are not getting automatically updated, BigFix will prompt you to install the updates directly from our BigFix server. If you get a BigFix patch notification, you will need to take recommended actions in order to protect your system. BigFix will reboot your system upon completion.
Please note that systems which are enrolled in BigFix Passive Management Mode will not be patched or rebooted by BigFix, and users are responsible for installing required updates by running Windows Update. For information regarding Windows Update, see Microsoft’s site, Update Windows 10.
Thanks to Windows Server Update Service (WSUS), Windows Reboot Reminders, and BigFix, IT User Support is able to identify vulnerable software running on LBL systems. If you wish to receive proactive communications regarding the health of your computer, you can Download BigFix and install it. If you have further questions about BigFix, please Request Help.
Reminder: always keep your operating system up to date, your applications patched, and your system rebooted at least once a week! Follow IT Best Practices to ensure computer health.
Just as your operating systems need to be patched, so do your browsers. Mozilla recently disclosed a critical vulnerability in Firefox, and advises all users to patch it immediately:
If Firefox is configured to update automatically, patching is as simple as restarting your browser. Users should verify they are running at least version 72.0.1. For your reference Mozilla provides instructions for updating and verification here.
Thanks to BigFix, IT User Support is able to identify vulnerable software running on LBL systems. If you wish to receive proactive communications regarding the health of your computer, you can Download BigFix and install it. If you have further questions about BigFix, please Request Help.
Lastly, users should follow IT Best Practices to ensure computer health.
IT Workstation Support has catalogued the recent issues users have encountered when upgrading their system to the latest macOS Catalina. They are:
32-bit applications will not run on Catalina, see table below
Top 10 32-bit Applications in-use | |
Name | Quantity |
Cisco VPN | 277 |
Microsoft Word, what version? | 163 |
Microsoft Excel, what version? | 116 |
Microsoft Powerpoint, what version? | 93 |
Identity Finder | 79 |
mdworker32 (Office365 process) | 65 |
Adobe Acrobat XI Pro (This software is out of compliance and must be upgraded to the subscription version, see Adobe Acrobat Pro DC) | 64 |
Carbonite (This software is no longer the Lab’s enterprise backup software, see Druva inSync) | 29 |
Adobe Application Manager | 28 |
TextWrangler | 28 |
Applications will request proper permissions to run
Application | Solution |
Chrome Attachments |
|
Chrome Remote Desktop | |
DisplayLink | Download and install latest driver (beta release), https://www.displaylink.com/downloads/macos |
Druva inSync |
|
Sophos | https://community.sophos.com/kb/en-us/134552#How%20to%20correct%20issues |
Toshiba copiers fail to print with a “filter failed” error message |
|
Zoom | On Mac OS 10.15 Catalina, you need to allow Zoom access to Screen Recording to share your screen.
|
As with any major operating system upgrade, users should always do the following:
Perform a hardware assessment and check for compatibility
Mac compatibility list - see https://support.apple.com/en-us/HT210222
User must check with the hardware vendor for any external equipment
Perform a software assessment and check for compatibility - users can check https://roaringapps.com/ for software compatibility
Ensure you have all software licensing information if you need to reinstall software
Perform a data assessment and backup all data
Perform upgrade in place or from scratch
If you upgrade to macOS Catalina and something stops working, contact IT User Support at x4357 or email to help@@lbl.gov and we will be glad to help.
December 9th, the beginning of MFA enforcement for all staff, affiliates, and contractors is quickly approaching.
All LBL users must activate MFA for their Berkeley Lab enterprise accounts by this date, or risk losing access to email, LETS, and all other services protected by their Berkeley Lab Identity.
Visit go.lbl.gov/mfa to get started today.
As of Oct 17, 2019 Workstation Support is under guidance from LBL cybersecurity to remove CCleaner from all Lab systems.
Computers that have BigFix (Active Mode) installed will have a pop-up appear informing the user of the action and provide a button to click for easy uninstallation.
We are looking at other options to handle the functions that CCleaner provides, but in the short term, we need to remove it from all Lab systems. Workstation Support will be removing CCleaner beginning Friday, Nov 1, 2019.
Additionally, the free version of CCleaner cannot legally be installed on Laboratory computers.
CCleaner can be removed either via BigFix or via the Windows standard "Add and Remove" programs menu.
If you don't have BigFix installed on your system please see our IT Software Download Page at https://software.lbl.gov/.
If you need help removing CCleaner please contact the Help Desk at xHELP (x4357).
The LBL Indico instance (https://conferences.lbl.gov) was upgraded from v1.2 to v2.22 which provides a new interface and features in addition to bug fixes after being inaccessible from 10AM-2PM on Friday, September 27, 2019.
You can now log into Indico with your Berkeley Lab Identity credentials using single sign-on (SSO). The first time you login, you may notice a message letting you know it is the first time you have used this form of authentication to login.
This and other changes are highlighted in the Commons page here: https://commons.lbl.gov/x/FgGoCg
Just a reminder that on June 1, 2019, Malwarebytes was no longer being offered by Berkeley Lab IT. Existing clients will continue to function, but will not receive updates. IT recommends that users uninstall Malwarebytes. This can be done manually, or users can wait until they see a BigFix Offer from IT, which will remove the application automatically. For further information, refer to our Malwarebytes FAQ site.
Berkeley Lab computers are constantly under attack, but what should we, as users, do to protect ourselves and our systems? According to research conducted by Google, users and security experts often have different ideas as to what the best steps are to be taken.
To make it easier, Berkeley Lab IT has developed a series of IT Best Practices that all staff should follow when using Lab computers. These best practices address the most important security recommendations, data protection, and performance optimization.
IT Best Practices include:
Install BigFix on ALL computers. BigFix is used to help keep your operating system and common applications up to date. There is even a Passive mode that you can use if don’t want any updates done automatically.
To make sure that updates are installed, it is also essential that you REBOOT your computer regularly! BigFix will also tell you when your system needs a reboot.
Use LastPass, a password manager which IT provides for free. LastPass makes it easy to make sure you always use strong, unique passwords.
Enroll in the Lab’s Multi Factor Authentication (MFA) system. With MFA enabled, an attacker who knows your Lab password still won’t be able to log in.
Familiarize yourself with the IT FAQ and Cyber Security websites. These sites are updated regularly with important information for users.
Install Sophos on all workstations. Sophos is provided for free by Berkeley Lab IT.
Use Druva inSync to backup your workstation data, $51/yr for up to 10 computers
Use VPN when on public networks (including LBL’s Visitor Wireless) or on travel. It is a good idea to use VPN whenever possible while offsite.
Use Google Drive / Google Shared Drive / Google File Stream to store important or shared files.
As most people know, keeping your software updated is the number one thing you can do for cyber security. What is less well known is how important this is on mobile devices, such as iPhones and Android devices. A recent set of vulnerabilities announced in iPhone devices both makes it a priority to update now and serves as a reminder of the importance of updating regularly.
You can read more about newly accounced vulnerablities at https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html
There is good news, update and reboot your iOS devices now to ensure they are secure.
REFERENCE ARTICLE
This outage was resolved at ~2pm Aug 30.
Prior Information Follows:
Outage: Intermittent DNS failures are causing slow network response times and intermittent application outages
General Impact: Our DNS servers are having trouble responding to queries. The servers are having longer than normal response times for those queries to increase and some queries are failing. These failures may manifest themselves as slow web pages, login failures, and slow server response times.
we are investigating the cause of the issue and will update you as we have more information
Status: Unscheduled
Resolved at approx 2:10PM Monday Aug 19
Prior Information:
A networking switch failure is impacting the following services:
Internal Telephone Calls to/from some buildings.
Inbound Telephone Calls to some buildings.
Verizon Coverage in Building 59
There is not an ETA for resolution at this time.
On August 13, 2019 Microsoft released a warning to update and reboot your system due to new Microsoft Remote Desktop Services vulnerabilities:
CVE-2019-1181 | Remote Desktop Services Remote Code Execution Vulnerability
CVE-2019-1182 | Remote Desktop Services Remote Code Execution Vulnerability
CVE-2019-1222 | Remote Desktop Services Remote Code Execution Vulnerability
CVE-2019-1226 | Remote Desktop Services Remote Code Execution Vulnerability
This affects the following operating systems:
Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server 2012
Microsoft Windows Server 2008
Microsoft Windows 10
Microsoft Windows 8
Microsoft Windows 7
Berkeley Lab IT suggests all Windows users patch and reboot all systems immediately. Updates will also be released using BigFix for systems that were not patched through normal operations.
Advice: Always keep your system and all software up to date and REBOOT at least once a month.
RELATED ARTICLES
