Today, the Director of the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED 20-03) directing federal civilian executive branch agencies to apply a Microsoft Windows patch to mitigate significant vulnerability risks, and minimize exposure of associated threats to our federal information systems. CISA is directing federal civilian departments and agencies to apply the July 2020 Security Update or registry modification workaround to all Windows Servers running DNS role by noon, Friday, July 17.
This is the third Emergency Directive issued by the Department of Homeland Security under authorities granted by Congress in the Cybersecurity Act of 2015, and we take this action after carefully considering the current and potential risk posed to the federal enterprise.
The software patch addresses a critical vulnerability in Windows Server operating systems (CVE-2020-13501). A remote code execution vulnerability exists in how Windows Servers are configured to run the Domain Name System (DNS) Server role. If exploited, the vulnerability could allow an attacker to run arbitrary code in the context of the Local System Account. To exploit the vulnerability, an unauthenticated attacker sends malicious requests to a Windows DNS server.
CISA strongly urges our state and local government and private sector partners to apply this security update patch as soon as possible to all end points running Microsoft Windows Server operating systems.