Zerologon takes taking advantage of the Netlogon Remote Protocol, used in the authentication process
A new vulnerability in Windows domain controllers has been discovered. In a published paper in September, researchers from Secura found a cryptographic flaw and called it Zerologon.
It takes advantage of the Netlogon Remote Protocol that is used in the authentication process. All that it takes to exploit this flaw – and compromise a wide variety of Active Directory identity services – is a TCP-level connection to the domain controller itself. Secura published a test tool on Github that can tell you whether a domain controller is vulnerable or not.
The discovery led to a rare emergency directive issued by CISA – the U.S. Cybersecurity and Infrastructure Security Agency – to patch all federally-owned Windows Servers by September 21, 2020, and to report to CISA those servers that are still vulnerable. That didn’t leave a lot of time for the patches to be applied.
Why the rush?
Mainly because the attacks using this flaw have already been observed, and some analysts have said this is the most dangerous Windows bug of the year. Microsoft reported seeing active threats on one of its Twitter accounts. Included in these tweets are three samples that Microsoft states were used in the attacks. These samples are .NET executables with the filename 'SharpZeroLogon.exe' and can be found on VirusTotal (see samples 1, 2, and 3). And one researcher posted a proof-of-concept demonstration video. “If affected domain controllers cannot be updated, ensure they are removed from the network,” the CISA directive stated.
Microsoft was alerted earlier and released a patch for the vulnerability (CVE-2020-1472) as part of its August 11, 2020, Patch Tuesday security updates. Even still, there is a big remaining issue, since Windows domains can receive logins from other operating systems and devices. That means that Microsoft still has some work to eliminate the potential vulnerability. Non-Microsoft devices may not support this patch and could still expose your domain for attacks, and that’s why Microsoft will enforce secure RPC usage for accounts on non-Windows devices in February 2021.
CSOonline has several other suggestions for IT administrators, including scripts that can be used to review portions of the relevant server event logs. In the meantime, don’t delay on your patching.