On February 6, 2020, blocking any unpatched Windows 10 computers from the High Security Virtual Private Network (HSVPN) begins.
Update February 4, 2020: On January 14, 2020, the National Security Agency (NSA) issued an advisory about a critical Microsoft vulnerability affecting the Microsoft Windows cryptographic functionality. A note was sent that evening to UVA LSPs, recommending everyone install the patch as soon as possible. We also announced that we will block unpatched devices attempting to access the High Security Virtual Private Network (HSVPN) on Friday, January 24th. However, as a result of complexities identifying the presence of this specific patch, we were unable to block as originally planned. The issues with identifying the patch have now been resolved (and tested). Therefore, we will begin blocking any non-patched Windows machines connecting to the High Security VPN starting on Thursday, February 6, 2020.
Posted: January 15, 2020
National Security Agency (NSA) Finds Dangerous Microsoft Vulnerability
Summary
The National Security Agency (NSA) issued an advisory that Microsoft patches released on January 14, 2020, need to be applied immediately.
This patch provides updates to plug 50 security holes in various Windows and related software. The patch includes a fix for a flaw in Windows 10 and server equivalents of this operating system. The flaw makes the device vulnerable to cyber attacks.
Impact
According to the advisory (PDF) released by the NSA, the flaw may have far more wide-ranging security implications, noting that the “exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.”
The exploitation of this vulnerability has already occurred – happening much sooner than experts predicted. With this weakness, attackers can impersonate everything from trusted websites to the source of software updates for Windows and other programs. Examples, where validation of trust may be impacted, include HTTPS connections and signed files and emails.
Vulnerable
The vulnerability applies to users that own devices that use a Windows 10 operating system and server equivalents of this operating system.
To learn how to find which version of Windows operating system your PC is running go to https://support.microsoft.com/en-us/help/13443/windows-which-version-am-i-running
Recommendations
If you are running a Windows 10 operating system the patches will be pushed to you directly over the Internet.
Windows 10 offers you the choice of when and how to get the latest updates to keep your device running smoothly and securely. Here's how to manually check that the latest recommended updates are applied, select the Start button, then select Settings > Update & Security > Windows Update .
If you have any concerns you may follow up with your LSP to ensure that your computer has been updated or contact the UVA Help Desk at 434-924-4357 or by emailing [email protected].
UVA Information Technology Services (ITS) will begin blocking unpatched devices attempting to access the High-Security Virtual Private Network (HSVPN) on Friday, January 24th.
References
[1] https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF
[2] https://krebsonsecurity.com/2020/01/patch-tuesday-january-2020-edition/
[3] https://support.microsoft.com/en-us/help/13443/windows-which-version-am-i-running