The Zerologon exploit is a way for a nefarious person to escalate privileges within a system and gain access to other systems and files. It takes advantage of the Windows Server Netlogon Remote protocol and authentication to capture session data to escalate the exploit further.
Although the Emergency Directive only applies to those federal agencies, we strongly recommend that state & local government, the private sector, and the American public also apply this security update as soon as possible. More info: https://t.co/O303PodUon #NetSec 2/2
— Cybersecurity and Infrastructure Security Agency (@CISAgov) September 19, 2020
According to the Homeland Security page, the emergency directive requires all agencies “Update all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21, 2020,” or pull un-updatable systems from the network. By September 23rd, all department-level CIOs must submit a report stating the update is complete to CISA. While the exploit is being patched, CISA will ensure compliance is met across all agencies affected.
This sort of governmental reaction is alarming but not surprising given its scope. The Common Vulnerability Scoring System (CVSS) has the Zerologon exploit rated at a 10, which is the highest severity rating it could receive. While the government is expediting fixes, companies and organizations should heed the warning of the emergency directive and update their systems too. This exploit is not something you want to find out about the hard way.