One of the highest-impact Windows vulnerabilities patched this year is now under active exploitation by malicious hackers, Microsoft warned overnight, in a development that puts increasing pressure on laggards to update now. The Zerologon micropatch is ‘primarily targeted at Windows Server 2008 R2 users without Extended Security Updates’
CVE-2020-1472, as the vulnerability is tracked, allows hackers to instantly take control of the Active Directory, a Windows server resource that acts as an all-powerful gatekeeper for all machines connected to a network. Researchers have dubbed the vulnerability Zerologon, because it allows attackers with only minimal access to a vulnerable network to login to the Active Directory by sending a string of zeros in messages that use the Netlogon protocol. The entire attack is very fast and can last up to three seconds, at most. In addition, there are no limits to how an attacker can use the Zerologon attack. For example, the attacker could also pose as the domain controller itself and change its password, allowing the hacker to take over the entire corporate network.
Simply put Zerologon lets anyone with a network toehold obtain the domain-controller password
“A security update was released in August 2020. Customers who apply the update, or have automatic updates enabled, will be protected.” Microsoft statement
Organizations with vulnerable servers should muster whatever resources they need to make sure this patch is installed sooner rather than later.
https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
A test tool form Secura on Github, which you can download here: https://github.com/SecuraBV/CVE-2020-1472 can tell you whether a domain controller is vulnerable or not.
We advise readers ‘not to be the organisation that made the headlines because it failed to patch.”
It cannot be used to take over Windows Servers from outside the network. An attacker first needs a foothold inside a network. However, when this condition is met, Satnam Narang, staff research engineer at Tenable, described Zerologon as a “game over” situation for any organisation unlucky or foolhardy enough to fall victim to it, and urged prompt attention.
This bug is also a boon for malware and ransomware gangs, which often rely on infecting one computer inside a company’s network and then spreading to multiple others. With Zerologon, this task has been considerably simplified.
0patch, issued a “micropatch” of its own for the bug. “Our micropatch was made for Windows Server 2008 R2, which reached end-of-support this January and stopped receiving Windows updates” 0patch is also porting the micropatch to various still-supported Windows Servers for customers who for various reasons can’t apply the Microsoft patch, he added.
Zerologon carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System. Despite the high rating, the escalation-of-privileges vulnerability received scant, if any, attention when Microsoft patched it in August, and Microsoft deemed the chances of actual exploitation “less likely.”
The security world finally took notice last week with the release of several proof-of-concept exploits and a detailed writeup, which demonstrated the severity of the vulnerability and the relative ease in exploiting it.
All hands on deck. On Wednesday evening, Microsoft issued a series of tweets that Zerologon was now being exploited in the wild.
“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon,” Microsoft representatives wrote. “We have observed attacks where public exploits have been incorporated into attacker playbooks.”
The company provided several digital signatures of files used in the attacks, but it didn’t publicly provide additional details. Microsoft has published a threat analytics report that’s designed to help administrators assess the vulnerability of their networks, but it’s available only to Office 365 subscribers..
It’s hard to overstate the severity of an exploit that makes it possible to take control of an Active Directory using several dozen lines of code. Active Directories (and the domain controller servers they run on) are the resources most cherished by ransomware attackers. With control over the central provisioning directory, they can infect entire fleets of machines within minutes. Nation-sponsored hackers performing surgical-precision espionage campaigns also prize such access because it allows them to control specific network resources of interest.
There may also be ways to exploit Zerologon directly from the Internet with no previous access. Internet searches and now more than 33,000 and 3 million networks are exposing domain controllers and Remote Procedure Call login servers to the public Internet. In the event a single network is exposing both resources, the combination may leave a network wide open with no other requirements.
The risk posed by Zerologon isn’t just that of facing a catastrophic hack. There’s also the threat of applying a patch that breaks a network’s most sensitive resource. Late last week, the cybersecurity arm of the Department of Homeland Security mandated agencies to either apply the patch by Monday night or remove domain controllers from the Internet. Less than three days later exploits are in the wild, so it’s clear there was good reason for the directive.
Patching Zerologon was no easy task for Microsoft, as the company had to modify how billions of devices are connecting to corporate networks, effectively disrupting the operations of countless of companies. This patching process is scheduled to take place over two phases. The first one took place last month, when Microsoft released a temporary fix for the Zerologon attack.
This temporary patch made the Netlogon security features (that Zerologon was disabling) mandatory for all Netlogon authentications, effectively breaking Zerologon attacks.
Nonetheless, a more complete patch is scheduled for February 2021, just in case attackers find a way around the August patches. Unfortunately, Microsoft anticipates that this later patch will end up breaking authentication on some devices. Some details about this second patch have been described here https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
Note if you use Samba for domain control then that is also impacted and there is a patch available.
