A new critical Windows vulnerability that can allow Threat Actors to easily take control of domain controllers was quietly patched on August 11th, 2020 by Microsoft through the KB4571723 update. With a CVSSv3 severity score of 10/10, this vulnerability is as serious as they come and should be addressed immediately.
This finding and its technical details were outlined in the White Paper, “Zerologon:
Unauthenticated Domain Controller Compromise by Subverting Netlogon Cryptography (CVE-2020-1472) ” from the Dutch security firm Secura.
This finding, CVE-2020-1472, is rooted in the Netlogon protocol that authenticates users and other services within a Windows domain. The heart of the problem is due to a weak cryptographic algorithm used within the Netlogon authentication process and allows attackers the ability to manipulate this process.
A simplified visual representation of the Netlogon handshake can be observed below:
Simplified Netlogon Authentication Handshake
A visual representation of the Zerologon attack can be observed here:
The Zerologon attack
The Zerologon vulnerability can essentially allow an attacker to take over a whole enterprise Windows domain. This vulnerability can allow an attacker to impersonate any system when authenticating to a DC, turn off security features within the authentication process, and change passwords within Active Directory. From a high level, the attack is conducted by sending a series of Netlogon messages with many of the fields within the messages filled with zeros. Exploitation of the vulnerability can happen in a matter of seconds.
Successfully exploiting this attack vector doesn’t even require the attacker to have domain credentials. The good news for enterprise security teams is the Zerologon vulnerability cannot be exploited externally. A Threat Actor needs to have already gained access to the internal network prior to launching the attack. The need for internal access raises the potential for this weakness being exploited by malicious insiders. If applying the security patch immediately isn’t an option, security teams should also be mindful to secure any exposed ethernet ports within their facility to mitigate the possibility of an outsider plugging a rogue device into an open network port and exploiting Zerologon.
There was a weaponized proof of concept exploit posted to GitHub recently that will likely result in immediate attempts by Threat Actors to exploit this in the wild. There’s also a publicly available Python script that security teams can leverage to test for the existence of the vulnerability: https://github.com/SecuraBV/CVE-2020-1472.
This finding once again highlights the need for applying software patches as soon as possible and staying abreast to the latest security vulnerabilities and news. Many organizations fail to keep up with software patches and others just have a delay in applying patches due to fears of breaking internal systems and/or applications. SpearTip strongly advises that I.T. teams immediately apply the August 11th, 2020 Windows security patch KB4571723 on all domain controllers. The security patch released this past August is just a temporary fix, though. A permanent fix won’t be available until February 2021.
SpearTip is constantly watching for new malware and manipulative programs. Our 24/7 Security Operations Center (SOC) is fully staffed with cybersecurity professionals to monitor and protect your environment. Not only are our cybersecurity teammates continuously preventing cyberattacks, but also able to deploy our proprietary tool, ShadowSpear® in an environment before or after an attack.