Due to a vulnerability discovered in the RES agent by USGS staff and verified by ITSOT, OCIO decided to remove the RES agent from all DOI computers. The removal action began late yesterday afternoon (Jan 26, 2017) and is nearly complete. There was virtually no warning that this removal activity was going to occur. OCIO deemed the threat severe enough to warrant immediate removal.
In a limited number of cases, we have received reports indicating that the RES agent removal process left artifacts behind on a few hosts causing the login process to fail for standard users. Administrators are able to login to the same hosts. Please contact the Service Desk for assistance if this issue occurs in your environment.
If eVMS scans occurred in your environment since the RES deployment began on 01/18/2017, you may have noticed an increase in the number of occurrences of high severity plugin #25167 “MS07-028: Vulnerability in CAPICOM Could Allow Remote Code Execution”. In most cases, the RES deployment caused this vulnerability to show up in the eVMS console. ITSOT is running targeted scans today and next week which should eventually remove this vulnerability from the console now that the RES agent is being removed.
WHAT YOU NEED TO DO
For System Administrators with access to IEM/BigFix Web Reports, below is a link to a report showing the Windows computers with the RES agent installed.
USGS-Wide: RES Agent Installed Computer List
Ensure that computers under your responsibility are connected to the network so that the DOI issued BigFix action can remove the RES agent.
