CISA orders agencies to patch dire Window flaw


A serious flaw in Microsoft Windows could leave federal government servers open to hackers and needs to be patched by midnight on Sept. 21, said a warning from the Cybersecurity and Infrastructure Security Agency.

The vulnerability affects core authentication capabilities, CISA warned in an Sept. 18 emergency directive. Failure to patch could permit unauthorized attackers to access and take over domain controllers' identity services.

The warning cites the "widespread presence of the affected domain controllers across the federal enterprise" and the "high potential for a compromise of agency information systems."

The vulnerability, Microsoft said in an August notice on the problem, could allow an attacker to elevate their domain privileges within the network without authentications, once they get inside.

If an unauthorized attacker gets control of the identity capabilities at one agency, said CISA, the access could be used to compromise other federal networks.

"CISA has determined that this vulnerability poses an unacceptable risk to the federal civilian executive branch and requires an immediate and emergency action," said the directive.

Microsoft issued a software upgrade for the server vulnerability on Aug. 11. It said it plans to issue an additional update in the first quarter of 2021. In an accompanying assessment, the company said it had not seen any exploitation of the vulnerability.

CISA's command requires all agencies to update their domain controllers with a patch from Microsoft by 11:59 pm eastern time on Sept. 21. If servers can't be upgraded, they should be unplugged from networks.

After the software upgrade is in place, CISA requires agency CIOs to submit a completion report by Sept. 23 that states the update has been applied to all affected servers and that newly-provisioned and disconnected servers will be patched as required before they are connected to the network.

The agency said it is also keeping an eye on compliance through the Continuous Diagnostics and Mitigation (CDM) program. Agencies can get support from CDM systems integrators in the effort as well, it said.

By Oct. 5, CISA wants to be able to provide a detailed report on the status of the upgrade to the secretary of the Department of Homeland Security and the director of the Office of Management and Budget on cross-agency status and issues that remain to be resolved.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Government Innovation Awards
    Government Innovation Awards -

    Congratulations to the 2021 Rising Stars

    These early-career leaders already are having an outsized impact on government IT.

  • Acquisition
    Shutterstock ID 169474442 By Maxx-Studio

    The growing importance of GWACs

    One of the government's most popular methods for buying emerging technologies and critical IT services faces significant challenges in an ever-changing marketplace

Stay Connected