CISA Gives Federal Agencies Until Friday To Patch Exchange Servers

The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to install newly released Microsoft Exchange security updates by Friday.

Today, Microsoft released security updates for four Microsoft Exchange vulnerabilities discovered by the NSA.

These Exchange vulnerabilities are capable of remote code execution, with two vulnerabilities not requiring attackers to authenticate first.

While none of the vulnerabilities are known to be used in attacks, CISA believes that threat actors will reverse engineer the patches to create working exploits due to their severity and public disclosure.

While none of these vulnerabilities are known to be used in attacks, due to their severity and public disclosure, CISA believes that threat actors will reverse engineer the patches to create working exploits.

Also Read: PDPA Singapore Guidelines: 16 Key Concepts For Your Business

To prevent another widescale attack on Microsoft Exchange servers, CISA has updated their previously released Emergency Directive 21-02 to require all federal agencies to install today’s security updates by 12:01 AM on Friday, April 16th, 2021.

“CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action.

“This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information.” reads the Supplemental Direction v2 for Emergency Directive 21-02.

Required actions by agencies

To comply with the Supplemental Direction v2, federal agencies are required to perform the following actions:

• Deploy Microsoft Updates. Before 12:01 am Friday, April 16, 2021, Eastern Daylight Time, agencies with on-premises Microsoft Exchange servers must deploy Microsoft updates from Tuesday, April 13, 2021, to all affected Microsoft Exchange servers. Microsoft Exchange Servers that cannot be updated within the deadline above must be immediately removed from agency networks.
• Apply/Maintain Controls. Ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected endpoints are updated before connecting to agency networks.
• Report Completion. For agencies managing on-premises Microsoft Exchange servers, department-level Chief Information Officers (CIOs) or equivalents shall submit a report to CISA using the provided template to CyberDirectives@cisa.dhs.gov by Noon Eastern Daylight Time on Friday, April 16, 2021.
• Report Indications of Compromise. Immediately report any identified cyber incidents and related indications of compromise detected while conducting update activities through https://us-cert.cisa.gov/report.

Also Read: Data Protection Officer Singapore | 10 FAQs

CISA states that federal agencies must continue these actions until another subsequent directive is issued.