Ensure Your Windows Server is Up-to-Date: Patch the Zerologon Vulnerability Now

zerologon vulnerability (CVE-2020-1472)

As an administrator managing Windows Server, staying on top of the latest security updates from Microsoft is crucial. A particularly critical update you shouldn’t overlook addresses the Zerologon vulnerability (CVE-2020-1472), a serious security flaw that could let unauthenticated attackers compromise your domain controller.

Understanding Zerologon: The Critical Vulnerability

Zerologon, discovered by Tom Tervoort of Secura, is a privilege escalation vulnerability resulting from the insecure use of AES-CFB8 encryption for Netlogon sessions. This flaw allows remote attackers to establish a connection to the targeted domain controller via the Netlogon Remote Protocol (MS-NRPC).

The attack takes advantage of weaknesses in the authentication protocol that verifies the identity of domain-joined computers to the Domain Controller. Due to incorrect usage of an AES mode of operation, an attacker can spoof the identity of any computer account, including the Domain Controller itself, and set an empty password for that account within the domain.

Why Zerologon is So Dangerous

With a CVSS score of 10.0, Zerologon is one of the most severe vulnerabilities disclosed in recent times. Although Microsoft released a patch for this vulnerability in August, it gained widespread attention and concern after researchers published technical details and proof-of-concept last week.

Governments worldwide, including the Indian and Australian governments and the United States Cybersecurity and Infrastructure Security Agency (CISA), have issued emergency directives to patch Zerologon flaws immediately.

How the Zerologon Exploit Works

Here’s how attackers exploit the Zerologon vulnerability:

  1. Spoof the Client Credential
  2. Disable RPC Signing and Sealing
  3. Spoof a Call
  4. Change the Computer’s AD Password
  5. Change the Domain Admin Password

By sending several Netlogon messages with various fields filled with zeros, an unauthenticated attacker can change the computer password of the domain controller stored in Active Directory. This altered password can then be used to obtain domain admin credentials and eventually restore the original Domain Controller password.

Immediate Actions Required

CISA has stated that the Zerologon vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch, necessitating immediate emergency action. If your domain controllers cannot be updated promptly, it’s advised to remove them from the network.

Additionally, Samba versions 4.7 and below, which implement the SMB networking protocol for Linux systems, are also vulnerable. A patch update for Samba has been issued to address this flaw.

Detecting Zerologon Exploits

Cynet has provided critical artifacts to help detect active exploitation of the Zerologon vulnerability. These include a specific memory pattern in lsass.exe and an abnormal spike in traffic involving lsass.exe. The most documented artifact is Windows Event ID 4742, indicating that a computer account was changed, often combined with Windows Event ID 4672, which signals special privileges assigned to a new logon.

To help Windows Server users quickly detect related attacks, experts have released a YARA rule to identify attacks that occurred before its deployment. A simple tool for real-time monitoring is also available for download.

Final Recommendations

Despite these detection tools, the best way to secure your system is to install the latest software update from Microsoft as soon as possible. Ensuring your Windows Server is up-to-date will protect your network from this critical vulnerability.

Stay informed and keep your systems secure. Follow CybrogenIT on Facebook and LinkedIn for more exclusive content and the latest cybersecurity updates.

Leave a Reply

Your email address will not be published. Required fields are marked *