EMERgency24 has been a leader in the alarm monitoring and security industries since 1967. Offering independent alarm dealers the ability to provide the widest variety of security monitoring services, we are consistently rated as the 'most preferred' in surveys of alarm installation companies. WHEREAS, Emergency Order 20-20 required facial coverings, as defined by the United States Centers for Disease Control and Prevention (“CDC”), to be worn by persons working in or visiting grocery stores, restaurants, public transit vehicles, vehicles for hire, and locations where social distancing measures are not possible;. Emergency 20 - The Movie All Cutscenes (Full Walkthrough HD) - Game Information: Coordinate your team of first r.
January 14, 2020
Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday
This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 20-02, “Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday”. Additionally, see CISA’s blog post.
Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2)
Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3).
Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v)
These directives do not apply to statutorily-defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B).
On January 14, 2020, Microsoft released a software patch to mitigatesignificant vulnerabilities in supported Windows operating systems.Among the vulnerabilities patched were weaknesses in how Windowsvalidates Elliptic Curve Cryptography (ECC) certificates1 and howWindows handles connection requests in the Remote Desktop Protocol (RDP)server and client.2
The vulnerability in ECC certificate validation affects Windows 10,Server 2016, and Server 2019. It bypasses the trust store, allowingunwanted or malicious software to masquerade as authentically signed bya trusted or trustworthy organization, which may deceive users or thwartmalware detection methods like anti-virus. Additionally, a maliciouslycrafted certificate could be issued for a hostname that did notauthorize it, and a browser that relies on Windows’ CryptoAPI would notissue a warning, allowing an attacker to decrypt, modify, or inject dataon user connections without detection.
Vulnerabilities in the Windows Remote Desktop client (affecting allsupported versions of Windows, including Server) and RDP Gateway Server(affecting Server 2012, 2016, 2019) allow for remote code execution,where arbitrary code could be run freely. The server vulnerabilities donot require authentication or user interaction and can be exploited by aspecially crafted request. The client vulnerability can be exploited byconvincing a user to connect to a malicious server.
Though the Cybersecurity and Infrastructure Security Agency (CISA) isunaware of active exploitation of these vulnerabilities, once a patchhas been publicly released, the underlying vulnerabilities can bereverse engineered to create an exploit. Aside from removing affectedendpoints from the network, applying this patch is the only knowntechnical mitigation to these vulnerabilities.
CISA has determined that these vulnerabilities pose an unacceptable riskto the Federal enterprise and require an immediate and emergency action.This determination is based on the likelihood of the vulnerabilitiesbeing weaponized, combined with the widespread use of the affectedsoftware across the Executive Branch and high potential for a compromiseof integrity and confidentiality of agency information.
This emergency directive requires the following actions:
Patch all affected endpoints.
a. Within 10 business days (by 5:00pm EST, January 29, 2020), ensure the January 2020 Security Updates patch is applied to all affected endpoints on agency information systems.
b. Within 10 business days (by 5:00pm EST, January 29, 2020), ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected endpoints are patched before connecting to agency networks.
CISA strongly recommends agencies initiate patching immediately, with a focus on patching the Windows 10 and Server 2016/2019 systems impacted by CVE-2020-0601. Agencies should prioritize patching mission critical systems and High Value Assets (HVAs), internet-accessible systems, and servers. Agencies should then apply the patch to the remaining endpoints. This applies to any information system, including information systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.
In instances where these endpoints cannot be patched within 10 business days, CISA advises agencies to remove them from their networks.
Report information to CISA
a. Within 3 business days (by 5:00pm EST, January 17, 2020), submit an initial status report using the provided template. This report must include information related to the agency’s current status and projected completion dates, and, if necessary, identified constraints, support needs, and observed challenges.
b. Within 10 business days (by 5:00pm EST, January 29, 2020), submit a completion report using the provided template. Department-level Chief Information Officers (CIOs) or equivalents must submit completion reports attesting to CISA that the January 2020 Security Updates patch has been applied to all affected endpoints and providing assurance that newly provisioned or previously disconnected endpoints will be patched as required by this directive prior to network connection (per Action 1).
CISA will continue to monitor and work with our partners to identify whether these vulnerabilities are being exploited.
CISA will provide additional guidance to agencies on the CISA website, through an emergency directive issuance coordination call, and through individual engagements upon request (via [email protected]).
CISA will review and validate agency compliance and ensure that agencies participating in CDM can leverage the support of their system integrators to assist with this effort, if needed.
Beginning February 3, 2020, the CISA Director will engage the CIOs and/or Senior Agency Officials for Risk Management (SAORM) of agencies that have not completed required actions, as appropriate.
By February 14, 2020, CISA will provide a report to the Secretary of Homeland Security and the Director of Office of Management and Budget (OMB) identifying cross-agency status and outstanding issues.
This emergency directive remains in effect until replaced by a subsequent binding operational directive or terminated through other appropriate action.
- General information, assistance, and reporting – [email protected]
- Reporting indications of potential compromise – [email protected]
Frequently Asked Questions
Who is required to take this action under this directive?
The full list of agencies in scope of this directive is at https://cyber.dhs.gov/agencies.
Though CISA directives are not mandatory for any other organizations, CISA publishes alerts and implementation guidance to support broader stakeholder efforts. State, local, tribal, and territorial governments, critical infrastructure, and other non-government organizations are encouraged to review and deploy this critical patch.
Does the directive apply to all CVEs in Microsoft’s January 2020 security update?
Emergency 2016 Mods
Yes. It is not solely focused on CVE-2020-0601.
What are some technical and/or management controls to restrict unpatched endpoints from connecting to networks?
An example of a technical control is network access control (NAC), which can quarantine devices that do not meet agency ‘health’ standards (e.g., missing patches). Management controls may include agency policies and manual procedures that prohibit unpatched endpoints from being connected to agency networks until patched.
What is the meaning of “endpoint” and “system” in the context of ED 20-02?
“Endpoint” means any device or instance running affected Microsoft Windows operating systems. This includes but is not limited to user workstations, servers, embedded devices, Internet of Things (IoT), and virtual machines.
The term “system” refers to a FISMA information system.
Do template questions 1, 2, 10, and 11 include endpoints on third-party hosted systems or just agency owned and controlled endpoints?
Answers to questions 1, 2, 10, and 11 of the reporting template should include all endpoints controlled and owned by the agency plus endpoints owned and managed by third parties over which agency has direct control (e.g. Infrastructure as a Service). For information systems where an agency does not have direct control over vulnerability management (e.g. Software as a Service), please list hosting providers in the appendix and provide a percentage of agency (FISMA) information systems hosted by those third parties (questions 3, 4, 12, and 13 of the template).
A helpful test is if you can count (or the third-party provider can give you a count) of endpoints, you report them under total number of affected/patched endpoints. If it is a true cloud SaaS with elasticity, scalability, etc., where you can’t tell how many endpoints (servers, VMs, anything with an IP) are involved, you list it as a hosting service provider.
Are there any additional resources available to agencies to assist with scanning and remediation?
While CISA does not endorse any particular vendor, agencies using CDM capabilities that include Splunk tools may find the following article useful:
In particular, CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611 ↩