Emergency Directive 20-02

January 14, 2020

Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 20-02, “Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday”. Additionally, see CISA’s blog post.

Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2)

Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3).

Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v)

These directives do not apply to statutorily-defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B).

Background

On January 14, 2020, Microsoft released a software patch to mitigate significant vulnerabilities in supported Windows operating systems. Among the vulnerabilities patched were weaknesses in how Windows validates Elliptic Curve Cryptography (ECC) certificates1 and how Windows handles connection requests in the Remote Desktop Protocol (RDP) server and client.2

The vulnerability in ECC certificate validation affects Windows 10, Server 2016, and Server 2019. It bypasses the trust store, allowing unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization, which may deceive users or thwart malware detection methods like anti-virus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows’ CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.

Vulnerabilities in the Windows Remote Desktop client (affecting all supported versions of Windows, including Server) and RDP Gateway Server (affecting Server 2012, 2016, 2019) allow for remote code execution, where arbitrary code could be run freely. The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server.

Though the Cybersecurity and Infrastructure Security Agency (CISA) is unaware of active exploitation of these vulnerabilities, once a patch has been publicly released, the underlying vulnerabilities can be reverse engineered to create an exploit. Aside from removing affected endpoints from the network, applying this patch is the only known technical mitigation to these vulnerabilities.

CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information.

Required Actions

This emergency directive requires the following actions:

  1. Patch all affected endpoints.

    a. Within 10 business days (by 5:00pm EST, January 29, 2020), ensure the January 2020 Security Updates patch is applied to all affected endpoints on agency information systems.

    b. Within 10 business days (by 5:00pm EST, January 29, 2020), ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected endpoints are patched before connecting to agency networks.

CISA strongly recommends agencies initiate patching immediately, with a focus on patching the Windows 10 and Server 2016/2019 systems impacted by CVE-2020-0601. Agencies should prioritize patching mission critical systems and High Value Assets (HVAs), internet-accessible systems, and servers. Agencies should then apply the patch to the remaining endpoints. This applies to any information system, including information systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

In instances where these endpoints cannot be patched within 10 business days, CISA advises agencies to remove them from their networks.

  1. Report information to CISA

    a. Within 3 business days (by 5:00pm EST, January 17, 2020), submit an initial status report using the provided template. This report must include information related to the agency’s current status and projected completion dates, and, if necessary, identified constraints, support needs, and observed challenges.

    b. Within 10 business days (by 5:00pm EST, January 29, 2020), submit a completion report using the provided template. Department-level Chief Information Officers (CIOs) or equivalents must submit completion reports attesting to CISA that the January 2020 Security Updates patch has been applied to all affected endpoints and providing assurance that newly provisioned or previously disconnected endpoints will be patched as required by this directive prior to network connection (per Action 1).

CISA Actions

Duration

This emergency directive remains in effect until replaced by a subsequent binding operational directive or terminated through other appropriate action.

Additional Information

Frequently Asked Questions

Who is required to take this action under this directive?

The full list of agencies in scope of this directive is at https://cyber.dhs.gov/agencies.

Though CISA directives are not mandatory for any other organizations, CISA publishes alerts and implementation guidance to support broader stakeholder efforts. State, local, tribal, and territorial governments, critical infrastructure, and other non-government organizations are encouraged to review and deploy this critical patch.

Does the directive apply to all CVEs in Microsoft’s January 2020 security update?

Yes. It is not solely focused on CVE-2020-0601.

What are some technical and/or management controls to restrict unpatched endpoints from connecting to networks?

An example of a technical control is network access control (NAC), which can quarantine devices that do not meet agency ‘health’ standards (e.g., missing patches). Management controls may include agency policies and manual procedures that prohibit unpatched endpoints from being connected to agency networks until patched.

What is the meaning of “endpoint” and “system” in the context of ED 20-02?

“Endpoint” means any device or instance running affected Microsoft Windows operating systems. This includes but is not limited to user workstations, servers, embedded devices, Internet of Things (IoT), and virtual machines.

The term “system” refers to a FISMA information system.

Do template questions 1, 2, 10, and 11 include endpoints on third-party hosted systems or just agency owned and controlled endpoints?

Answers to questions 1, 2, 10, and 11 of the reporting template should include all endpoints controlled and owned by the agency plus endpoints owned and managed by third parties over which agency has direct control (e.g. Infrastructure as a Service). For information systems where an agency does not have direct control over vulnerability management (e.g. Software as a Service), please list hosting providers in the appendix and provide a percentage of agency (FISMA) information systems hosted by those third parties (questions 3, 4, 12, and 13 of the template).

A helpful test is if you can count (or the third-party provider can give you a count) of endpoints, you report them under total number of affected/patched endpoints. If it is a true cloud SaaS with elasticity, scalability, etc., where you can’t tell how many endpoints (servers, VMs, anything with an IP) are involved, you list it as a hosting service provider.

Are there any additional resources available to agencies to assist with scanning and remediation?

While CISA does not endorse any particular vendor, agencies using CDM capabilities that include Splunk tools may find the following article useful:

Footnotes

  1. CVE-2020-0601 

  2. In particular, CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611