Cybersecurity, part of the U.S. Department of Homeland Security (DHS), issued an executive order Thursday requiring federal civilian agencies to immediately fix the newly discovered Windows vulnerability SIGRed, citing the “unacceptable significant risk” to the agency’s security.
This is the third order ever issued by The Cybersecurity and Infrastructure Security Agency, part of DHS, requiring agencies to patch Windows servers used in domain name systems within 24 hours or deploy additional mitigations. The facility is not used for DNS, but affected servers have to be patched by July 24.
In a very urgent directive, CISA stresses that “based on the likelihood of the vulnerability being exploited, the widespread use of affected software throughout the federal enterprise, the high likelihood of the destruction of institutional information systems, and the serious impact of successful destruction.”
Check Point researchers discovered the security vulnerability in Windows DNS and reported it to Microsoft in May. Failure to patch will leave Windows servers vulnerable, but Microsoft says there is no evidence that the flaw has been exploited.
“DNS server vulnerabilities are a very serious matter,” warns Omri Herscovici, head of Check Point’s vulnerability research team. “Only a few of these vulnerability types have been released. Every organization that uses Microsoft’s infrastructure, large and small, if not patched, faces a significant security risk, with the worst consequence being the complete destruction of the entire enterprise network. The vulnerability has been in Microsoft’s code for more than 17 years, and since we can find it, it’s not impossible for others to find it. “