Patch Now: CVE-2020-1472 "Zerologon" Critical Privilege Escalation Vulnerability Compromises Domain Controllers
Recently security firm Secura published a blog on CVE-2020-1472, a CVSS-10 privilege escalation vulnerability in Microsoft’s Netlogon authentication process that the paper's authors christened “Zerologon.” The vulnerability, which was partially patched in Microsoft’s August 2020 Patch Tuesday release, arises from a flaw in the cryptographic implementation of the Netlogon protocol, specifically in its usage of AES-CFB8 encryption.
The impact of successful exploitation of this vulnerability is enormous. The flaw allows for full takeover of Active Directory domains by compromising Windows Servers running as domain controllers. In Secura’s words, enabling “an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint.” This RPC connection can be made either directly or over SMB via namedpipes.
According to Secura experts, the bug, which they named Zerologon, takes advantage of a weak cryptographic algorithm used in the Netlogon authentication process. This bug allows an attacker to manipulate Netlogon authentication procedures and:
Secura’s blog includes proof-of-concept (PoC) code that performs the authentication bypass and is easily able to be weaponized for use in attacker operations, including ransomware and other malware propagation. It’s unlikely that it will take long for a fully weaponized exploit (or several) to hit the internet.
Microsoft is addressing the vulnerability in a phased two-part rollout. These security updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.
For guidelines and advice on how to manage and protect your systems against these critical vulnerabilities, contact us today.