Microsoft released a software patch on Tuesday, January 14th to mitigate significant vulnerabilities discovered by National Security Agency (NSA) researchers in Windows operating systems. While the Cybersecurity and Infrastructure Agency (CISA) is unaware of active exploitation of these vulnerabilities, once a patch has been publicly released, the underlying vulnerabilities can be reverse engineered to create an exploit. Aside from removing affected endpoints from a network, applying this patch is the only known technical mitigation to these vulnerabilities.

 

Testing and Certification

Windows Critical Update

While voting systems operate in an air-gapped environment that may mitigate the Remote Desktop Protocol (RDP) vulnerability described in the notice, the EAC considers the Elliptic Curve Cryptography (ECC) validation vulnerability a significant threat to voting system security. According to information in DHS Emergency Directive 20-02, “This vulnerability may allow malicious software to bypass the trust store, allowing unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization, which may deceive users or thwart malware detection methods like anti-virus”. This vulnerability affects systems using Windows 10, Server 2016, and Server 2019. Please reach out to your voting system vendor for further information on whether or not your specific configuration is affected and their mitigation plans.

Since the ECC vulnerability described above requires that malicious software be loaded on to a vulnerable system in some manner, security measures designed to protect against accidental or unauthorized software installation should be implemented and/or existing procedures reviewed. For voting systems, precautions should be taken when transporting media (USB, flash drives, DVD-ROM, etc.) between components connected to public networks such as the internet and certified voting system components. This could include setting up a stand-alone PC (not connected to the internet or voting system) that has been patched and has up-to-date anti-malware/anti-virus software installed that is used to scan any media before it is introduced to the voting system. Additionally, we recommend that physical security best practices should be followed, including sealing USB, CD/DVD readers, and other external connections when not in use.

The EAC has reached out to voting system manufacturers and test labs reminding them that software de minimis changes are available for this type of update. We encourage manufacturers to submit updates to affected systems as soon as possible. The Testing and Certification program stands ready to expedite review of these changes.

The EAC will publish a list of voting systems that have been certified with this patch. Additionally, you should reach out to your voting system vendor for information on whether an update is necessary and what their implementation plan is in the event you require an update.