Emergency Directive 20-04

September 18, 2020

Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 20-04, “Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday”.

Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2)

Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3).

Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v)

These directives do not apply to statutorily-defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B).

Background

On August 11, 2020, Microsoft released a software update to mitigate a critical vulnerability in Windows Server operating systems (CVE-2020-1472). The vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory, could allow an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services.

Applying the update released on August 11 to domain controllers is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network).

CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action. This determination is based on the following:

CISA requires that agencies immediately apply the Windows Server August 2020 security update to all domain controllers.

Required Actions

This emergency directive requires the following actions:

  1. Update all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21, 2020,

    a. Apply the August 2020 Security Update to all Windows Servers with the domain controller role. If affected domain controllers cannot be updated, ensure they are removed from the network.

    b. By 11:59 PM EDT, Monday, September 21, 2020, ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected domain controller servers are updated before connecting to agency networks.

In addition to agencies using their vulnerability scanning tools for this task, CISA recommends that agencies use other means to confirm that the update has been properly deployed.

These requirements apply to Windows Servers with the Active Directory domain controller role in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

  1. Report information to CISA

    a. By 11:59 PM EDT, Wednesday, September 23, 2020, submit a completion report using the provided template. Department-level Chief Information Officers (CIOs) or equivalents must submit completion reports attesting to CISA that the applicable update has been applied to all affected servers and provide assurance that newly provisioned or previously disconnected servers will be patched as required by this directive prior to network connection (per Action 1).

CISA Actions

Duration

This emergency directive remains in effect until all agencies have applied the August 2020 Security Update (or other superseding updates) or the directive is terminated through other appropriate action.

Additional Information

Frequently Asked Questions

Answers to other common compliance questions appear below.

Who is required to take this action under this directive?

The full list of agencies in scope of this directive is at https://cyber.dhs.gov/agencies. Though CISA directives are not mandatory for any other organizations, CISA publishes alerts and implementation guidance to support broader stakeholder efforts. State, local, tribal, and territorial governments, critical infrastructure, and other non-government organizations are encouraged to review and deploy this critical patch.

Does this directive apply to all Windows Servers or only those with the controller role?

Only to Windows Servers with the Active Directory domain controller role.

Who is responsible for updating servers in externally hosted systems (like cloud)?

What are some technical and/or management controls to restrict unpatched endpoints from connecting to networks?

An example of a technical control is network access control (NAC), which can quarantine devices that do not meet agency ‘health’ standards (e.g., missing patches). Management controls may include policies and manual procedures that prohibit unpatched endpoints from being connected to agency networks until patched.

What other information is available to agencies to assist with scanning and remediation?

CISA does not endorse any particular vendor, though agencies using CDM capabilities that include Splunk tools may their blog post useful.