This advisory applies to: All Federal Executive Branch Departments and Agencies, Except for the Department of Defense, Central Intelligence Agency, and Office of the Director of National Intelligence.
On August 11, 2020, Microsoft issued a security update to mitigate CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability in Windows Server operating systems. This vulnerability exists within the Microsoft Windows Netlogon Remote Protocol (MS-NRPC), an interface used for user and machine authentication on domain-based networks. The vulnerability allows anyone with access to the domain network to utilize the Netlogon protocol to establish connection with Windows Servers with the domain controller role and elevate their privileges to that of the domain administrator. This would allow an unauthenticated attacker to completely compromise all Active Directory identity services, opening up opportunities for further exploitation, data exfiltration, network disruption and so on.
Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive 20-04, “Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday” which mandates all Federal Executive Branch Departments and Agencies in United States to patch/mitigate this vulnerability (CVE-2020-1472) on all affected Windows Servers with the domain controller role and submit a completion report to CISA.
Required actions as per the CISA's Emergency Directive 20-04:
The emergency directive requires the following actions:
1. Update all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21, 2020.
Apply the August 2020 Security Update to all Windows Servers with the domain controller role. If affected domain controllers cannot be updated, ensure they are removed from the network.
By 11:59 PM EDT, Monday, September 21, 2020, ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected domain controller servers are updated before connecting to agency networks.
In addition to agencies using their vulnerability scanning tools for this task, CISA recommends that agencies use other means to confirm that the update has been properly deployed. These requirements apply to Windows Servers with the Active Directory domain controller role in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.
2. Report information to CISA
By 11:59 PM EDT, Wednesday, September 23, 2020, submit a completion report using the provided template. Department-level Chief Information Officers (CIOs) or equivalents must submit completion reports attesting to CISA that the applicable update has been applied to all affected servers and provide assurance that newly provisioned or previously disconnected servers will be patched as required by this directive prior to network connection (per Action 1).
Refer this advisory for more details on the CISA's Emergency directive, actions taken by CISA with regard to this vulnerability and the duration of this emergency directive.
How to identify whether the Windows servers in your network are vulnerable to CVE-2020-1472 using Patch Manager Plus?
If you've installed the August Patch Tuesday security updates or superseding updates from September, you're safe from CVE-2020-1472.
Follow the steps below to get a report of Windows servers that are vulnerable to CVE-2020-1472:
Log into the Patch Manager Plus web console.
Navigate to Patches module and sync the vulnerability database by clicking on "update now" under Update Vulnerability DB.
Scan will be initiated for all network endpoints once the vulnerability database sync is complete.
Head over to Reports module.
Select query Reports> New query report
Run the below query to get a report on whether the Windows servers in your network are patched against CVE-2020-1472.
SELECT ManagedComputer.FULL_NAME AS "Computer Name", Resource.DOMAIN_NETBIOS_NAME AS "Domain Name", PatchMgmtOSInfo.OS_NAME "OS Name", CASE WHEN q1.STATUSID=202 THEN 'Missing' WHEN q1.STATUSID=201 THEN 'Installed' WHEN q2.STATUSID=202 THEN 'Missing' WHEN q2.STATUSID=201 THEN 'Installed' WHEN PatchClientScanStatus.LAST_SUCCESSFUL_SCAN<1597474784000 THEN 'Not Scanned' ELSE 'NA' END "Patching Status" FROM ManagedComputer INNER JOIN RESOURCE ON Resource.RESOURCE_ID=ManagedComputer.RESOURCE_ID INNER JOIN PatchMgmtOSInfo ON PatchMgmtOSInfo.RESOURCE_ID=ManagedComputer.RESOURCE_ID LEFT JOIN PatchClientScanStatus ON PatchClientScanStatus.RESOURCE_ID=ManagedComputer.RESOURCE_ID LEFT JOIN(SELECT RESOURCE_ID, max(STATUS_ID) AS STATUSID FROM AffectedPatchStatus WHERE PATCH_ID in (29494, 29493, 29492, 29491, 29490, 29489, 29517, 29516, 29515, 29512, 29511, 29510, 29478, 29477, 29476, 29507, 29506, 29505, 29497, 29496, 29495, 29504, 29503, 29502, 29479, 29475, 29474, 29473, 29472) GROUP BY RESOURCE_ID) AS q1 ON q1.RESOURCE_ID=ManagedComputer.RESOURCE_ID LEFT JOIN (SELECT RESOURCE_ID, max(DISTINCT STATUS_ID) AS STATUSID FROM AffectedPatchStatus WHERE PATCH_ID in (29733, 29730, 29729, 29732, 29731, 29728, 29517, 29758, 29757, 29512, 29511, 29510, 29755, 29754, 29753, 29742, 29752, 29505, 29725, 29727, 29726, 29737, 29738, 29736, 29756, 29475, 29755, 29754, 29753) GROUP BY RESOURCE_ID) AS q2 ON q2.RESOURCE_ID=ManagedComputer.RESOURCE_ID WHERE ManagedComputer.MANAGED_STATUS=61 AND PatchMgmtOSInfo.OS_NAME LIKE '%server%'
You'll get a list of all the Windows servers in your network along with their patching status. If the patching status is installed, the vulnerability is mitigated in the machine. If the patching status is missing, the machine is still vulnerable to CVE-2020-1472.
How to mitigate CVE-2020-1472 in all the affected machines using Patch Manager Plus?
Log into the Patch Manager Plus web console.
Navigate to Patches module and sync the vulnerability database by clicking on "update now" under Update Vulnerability DB.
Scan will be initiated for all machines once the vulnerability database sync is complete.
Head over to Patches> Critical vulnerabilities.
Select "CVE-2020-1472" in the vulnerability type filter.
All the affected machines along with corresponding patch IDs to address the vulnerability will appear.
Select all items and click on install patch to create a patch deployment task.
Once all the affected Windows server with the domain controller role have been patched, submit a report to CISA using the template provided by CISA (See step 2 in required actions as per the CISA's Emergency Directive 20-04 section for the report template).
Happy patching!