The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Exploit Code for Patched Windows Zerologon Vulnerability Released

by Chris Brook on Tuesday September 15, 2020

Contact Us
Free Demo
Chat

Details on Friday came out around a severe privilege escalation vulnerability Microsoft patched last month in Netlogon. Now exploit code for the vulnerability, Zerologon, is making the rounds online.

It wasn’t until last Friday, one month after Microsoft’s regularly scheduled August Patch Tuesday, that the dust cleared around one of the nastier bugs it ever patched - CVE-2020-1472 - a CVSS-10 privilege escalation vulnerability in Netlogon that could grant anyone full takeover of Active Directory domains.

While Microsoft partially patched the issue in August, details on the vulnerability remained scant until last week, when Secura, a Dutch security firm, outlined the vulnerability and posted proof of concept code that makes it clearer how dangerous the vulnerability is.

Netlogon, for the unfamiliar, is a Microsoft protocol that acts as a channel between domain-joined machines and Domain Controllers, helps authenticate users and services.

Flash forward a month and experts and government entities alike are encouraging orgs to patch the bug as soon as possible. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) published an advisory on Monday warning that there's is publicly available exploit code for the vulnerability.

The vulnerability, which Secura nicknamed Zerologon, takes advantage of a flaw in a cryptographic authentication scheme it uses, AES-CFB8.

"This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf," Secura said on Friday.

If an attacker were to send Netlogon messages filled with zeros - hence the Zerologon name - they could change the computer password of the domain controller stored in Active Directory. Once this is done, they'd be able to use it to obtain domain admin credentials and then restore the original domain controller password.

Once an attacker has done this - become Domain Admin with a click - they pretty much have free reign over the network. If they're on the local network or on a device that's plugged into the network, they can completely compromise the Windows domain, Secura said in a whitepaper (.PDF) detailing the vulnerability last week. “The attack is completely unauthenticated: the attacker does not need any user credentials,” the company reiterated.

According to Secura's technical report, assuming an attacker was already inside a company’s system, the attack could happen in as little as three seconds - just about how long it'd take to spoof the client credential, essentially a handshake between the client and the server.

As is to be expected when details around a dangerous vulnerability is disclosed online, it didn't take long on Monday for weaponized proof of concept code to make the rounds, further driving organizations who haven’t patched to do so as soon as possible.

To add another wrinkle to the story, Will Dorman, a Vulnerability Analyst at CERT/CC, the coordination center of the computer emergency response team for the Software Engineering Institute, said the vulnerability also appears to affect Samba, the Windows interoperability suite of programs for Linux and Unix.

Microsoft, for its part, said it is addressing the vulnerability in a two-part rollout, firstly by modifying how Netlogon handles the usage of Netlogon secure channels. With the fix, Domain Controllers will be able to implemented security features for all Netlogon authentications, something that should deter the style of attack Zerologon was using. The second fix, slated for Q1 2021, will enforce protection for all domain-joined devices.

Users looking to learn more about how to manage changes in Netlogon secure channel connections associated with the vulnerability should heed Microsoft's advice here.

Tags: Vulnerabilities

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.