Windows servers could have 'critical' security flaws - so patch now

(Image credit: Shutterstock)

The US government has warned that Windows servers could be carrying major security flaws that could put other nations around the globe at risk.

The Cybersecurity and Infrastructure Security Agency (CISA), part of US Homeland Security, has issued an emergency directive that urges government agencies in the the country to update their systems with a "critical" Windows security patch.

The patch looks to fix a vulnerability in Windows Server known as Zerologin, which, if exploited, could allow hackers full access to a network without even needing to enter a password.

Windows security

CISA's statement said it was reacting to, "a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency".

Microsoft's patch was originally released on August 11 2020, meaning it has been out in the wild for some time - however it seems that some US government agencies are still yet to update their systems.

The flaw, found in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory, affect affects systems running Windows Server 2008 R2 and later, including recent services using versions of Server based on Windows 10.

However it, "could allow an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services," CISA said.

Zerologon is rated the maximum 10.0 in severity by CISA, showing the seriousness that the US government regards the threat - despite the fix reportedly only taking a few seconds to carry out.

"Applying the update released on August 11 to domain controllers is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network)," its warning added.

The agency says this flaw poses, "an unacceptable risk", and requires "immediate and emergency action", and is urging all government agencies to update before the end of September 21, and confirm the process is complete to them.

Via TechCrunch

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.