DHS EMERGENCY DIRECTIVE – January ePatching for Windows, Mac, and Linux, Multiple Deadlines

DHS EMERGENCY DIRECTIVE 20-02 INFORMATION:  

The Department of Homeland Security (DHS) has issued Emergency directive 20-02 which requires all systems to have this patch applied within 10 business days of the Microsoft patch release date.   

• CryptoAPI spoofing vulnerability – CVE-2020-0601: This vulnerability affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019. This vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection. 
• Multiple Windows RDP vulnerabilities – CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611: These vulnerabilities affect Windows Server 2012 and newer. In addition, CVE-2020-0611 affects Windows 7 and newer. These vulnerabilities—in the Windows Remote Desktop client and RDP Gateway Server—allow for remote code execution, where arbitrary code could be run freely. The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server. 

Information That Local IT Should Communicate to Users: 

• The USGS Information Security Office is aware of the potential impact this will have to computing systems that are not scheduled to reboot during the next 10 business days. However, the criticality of these vulnerabilities in the Federal government require immediate action.   
• Local IT should work with their center director and reach out to users and require them to bring all Windows laptops and tablets into the office during this patching window to assure they receive these critical patches and report their status to BigFix. 
• Users should refrain from starting any long-term modeling or computational processes on computers running the Windows operating system until after patches have been deployed (on 01/16/2020) and reboots have occurred. Details on patch installation timing and the notifications users will see are below. 
• Lab machines or machines that are not connected to the network will require Security Points of Contact/System Administrators to manually apply these patches. Guidance may be found in the Standalone Systems section below. 
• Any computing system that is not patched and rebooted by Noon ET Wednesday January 29^th, 2020 must be isolated or removed from the network until it can be patched and rebooted by local IT. Patching must occur while these systems are in an offline state. 

Scope: 

All physical, virtual, and cloud computers running a Windows operating system are in scope of this emergency directive, regardless of its function or importance. There are NO EXCEPTIONS to this emergency directive. If you have any questions, please contact your IT Liaison.  

Systems that are not patched by Noon ET Wednesday January 29, 2020 must be isolated and removed from the network until the “Standalone” patches below are applied. 

All new computer images must contain the January security patches. The USGS Enterprise SCCM Central Join OSD process will build computers and run Windows update on them before they are live in the environment to assure these patches are applied.  Systems that are built using the USGS Enterprise SCCM Central Join OSD process (Either PXE, boot media or Standalone media) must meet these necessary patching requirements. 

WHEN IT WILL HAPPEN:   

This DHS Emergency Directive schedule relates only to the applicable CVEs and the remaining monthly patches will be applied based on the standard January ePatching schedule. 

The GS-Wide: Emergency directive 20-02 Patch status BigFix report can be used to evaluate patch status. 

Bigfix Mandatory installation begins:  

• Workstation actions will begin on Thursday 1/16/20 @ 8:00am local time 
• Server actions will begin on Wednesday 1/15/20 @ 10pm local time 

Reboot ePatching Scope Systems 

• Users will receive a message stating that systems are being patched. 
• Workstation Systems will receive a countdown requiring a reboot in 4 hours. 
• Servers will reboot overnight on 1/16/20 if no manual reboot is done ahead of the deadline. 
• McAfee encrypted systems will be configured for PBA bypass. 

Non-reboot ePatching Scope Systems 

• Users will receive a message stating that systems are being patched. 
• Workstation and Server Systems will be rebooted on Tuesday, January 21, 2020 at 10:00PM local time if no manual reboot action was taken prior to this time. This will happen to all devices in this scope regardless of function or importance. 
• McAfee encrypted systems will be configured for PBA bypass. 

Standalone System Patches – Here is patch information and download links. All  

relevant patches below must be applied for the device to be considered secure. 

• CVE-2020-0601 
• CVE-2020-0609 
• CVE-2020-0610 
• CVE-2020-0611 

All Remaining January ePatching Schedules: 

Fast Ring Testing Schedule: 

Offers Available: Thursday, January 16, 2020 at 2:30pm 

Installation Deadline: Tuesday, January 21, 2020 at 2:00am  

Please send Fast Ring feedback using the Service Desk Form  

Production Patching Schedule: 

Offers Available: Wednesday, January 22, 2020 at 12:30am 

Installation Deadline: Wednesday, January 29, 2020 at 2:00am 

WHAT WILL HAPPEN:        The January 2020 ePatching Process  

This Month’s Patch Cycle: 

• Mozilla Firefox 72.0.1 and 68.4.1 to resolve CVE-2019-17026 
• Adobe Reader DC (Continuous) as a Standard 
• FireEye HX 31.28.0 – Windows – CANCELLED BY DOI 

• Symantec Endpoint Protection Client 14.2.5323.2000 for Windows and 14.2.4815.1101 for MacOSx 

Upcoming Patch Cycles: 

• Microsoft Office 365 1908 Update – February ePatching Cycle 

WHAT YOU NEED TO KNOW 

The ePatching Team will have this month’s products and versions posted to the ePatching page by the end of the week. Please refer to it for the latest information.  Please read the following additional information regarding vulnerability management actions.  

Additional information about upcoming patches are available on the TST Current ePatching Activities page 

Adobe Reader DC (Continuous) as a Standard – The Department has changed the Adobe Reader standard from Classic (17.x) to Continuous (19.x).  In order to support this change, the ePatching Team will be deploying Adobe Reader DC (Continuous) to all systems that are currently running older versions of Reader during the January 2020 ePatching cycle.  During this deployment, the Classic track of reader will be removed from systems and replaced with the new Continuous track version.  Additional information on Adobe Reader DC can be found on the TST page.  

Fireeye HX 31.28.0 – DOI has requested that Bureaus not deploy this version of Fireeye until further notice. 

Symantec Endpoint Protection Client 14.2.5323.2000 for Windows and 14.2.4815.1101 for MacOSx – The ePatching Team will deploy the latest version of Symantec Endpoint Protection to all Windows workstations and MacOS systems during the January 2020 ePatching cycle. The following applications have been made available in SCCM and BigFix to support updating to the new SEP version. MacOSx Systems have a known issue where they are not able to connect to eRAS when using version 14.2.5323.2000.  Due to this issue, MacOSx systems will be updated to 14.2.4815.1101. Local IT are encouraged to use the BigFix fixlet to update SEP on all Windows Servers.  

• 3-GS – Symantec Endpoint Protection Client No Reboot 14.2.5323.2000  
• 3-GS – Symantec Endpoint Protection Client Reboot 14.2.5323.2000 
• GS-Wide: MacOS – Symantec SEP 14.2.4815.1101 _Final (UPGRADE)  

• GS-Wide: Windows Server – Symantec SEP 14.2.5323.2000 (UPGRADE)  

Microsoft Office 365 1908 Upgrade – Microsoft has released version 1908 of Office 365 into the Semi-Annual Channel (16.0.11929.x) as of January 2020. Release notes on the Office 365 1908 update can be found here.  The “DOI-O365-Semi-Annual Channel-1908 2020-01-15” Software Update Group and “1-DOI-Microsoft Office365 ProPlus 16.0.11929.x” family of applications are available through SCCM. Sites are encouraged to review the list of changes.  The Microsoft office 365 1908 upgrade will be deployed to fast ring computers during the January ePatching cycle, if no issues are reported it will be deployed to the remaining systems during the February ePatching cycle. Sites are encouraged to test/deploy 1-DOI-Microsoft Office365 ProPlus 16.0.11929.x through SCCM ahead of the February 2020 ePatching cycle.  Please send Fast Ring feedback using the Service Desk Form.   

WHAT YOU NEED TO DO 

Local system administrators are responsible for testing the required patches and reporting any issues to the ePatching Team.   

Specific instructions regarding SCCM and BigFix patching can be found on the TST website at:  https://tst.usgs.gov/security/epatching/