On August’s Patch Tuesday, Microsoft closed several vulnerabilities, among them CVE-2020-1472, known as Zerologon. Secura's security expert Tom Tervoort discovered the vulnerabilty and recently explained in a blog why the vulnerability is so dangerous.
By forging an authentication token for specific Netlogon functionality, he was able to call a function to set the computer password of the Domain Controller to a known value. Likewise, attackers can then use this new password to take control over the domain controller and steal credentials of a domain admin.
The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf to gain access to corporate networks.
According to Kaspersky, CVE-2020-1472 presents a risk to companies whose networks are based on domain controllers running under Windows. In particular, cybercriminals can hijack a domain controller based on any version of Windows Server 2019 or Windows Server 2016, as well as any edition of Windows Server version 1909, Windows Server version 1903, Windows Server version 1809 (Datacenter and Standard editions), Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 Service Pack 1.
To attack, says Kaspersky, cybercriminals would first need to penetrate the corporate network, but that is not such a major issue — insider attacks and penetration through Ethernet outlets in publicly accessible premises are hardly unprecedented.
Since fixing the vulnerability can cause some devices to not properly authenticate, Microsoft is rolling out the fix in two stages - the first released in August. The second update is scheduled to release February 9, 2021.
Jeff Costlow, CISO at ExtraHop, notes, “The Zerologon vulnerability (CVE-2020-1472) reported in Microsoft’s August Patch Tuesday, now has at least one public proof-of-concept (POC) exploit and we expect it to soon be actively exploited in the wild. This vulnerability is an easy exploit for attackers to deploy and will surely cause problems for organizations who have not yet patched their ActiveDirectory systems. The first POC’s have shown that unauthenticated attackers are able to obtain full administrator privileges on Active Directory systems. Any organizations without the ability to detect exploit attempts will remain at high risk if they delayed the patch as there is no way to know if they were exposed in between the time of reporting and the system update. We urge organizations to patch immediately and be aware that their system might have already been compromised.”
Fausto Oliveira, Principal Security Architect at Acceptto, a Portland, Oregon-based provider of Continuous Behavioral Authentication, explains, “The vulnerability is worrying and there is already POC code available on the Internet. Therefore, it is probable that threat actors are already weaponizing this POC code into their hacking suites and trying to exploit this new vulnerability."
"The only positive side of this finding (if there is any) is that the attacker needs to get into the network in order to exploit the vulnerability. Given that a substantial number of organizations do not use network access control, this is a quite viable point of entry for an attacker. There are a substantial number of MS Remote Desktop Servers directly exposed to the Internet and some of those are misconfigured as Domain controllers. Thus, the requirement for internal network access is not a restriction and those organizations are further exposed to this vulnerability," adds Oliveira.
"My advice is for organizations to implement and enforce network access control and stop offering Remote Desktop services directly on the internet, Instead, place them behind a firewall/IPS and use a VPN to provide access to the limited number of users that may have a legitimate use case to access those services. Lastly, adopt (after testing) the recommendations available in https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc. Until all these controls are in place, organizations remain vulnerable to this attack as well as various other attacks that exploit similar threat surfaces,” Oliveira says.