The impact of a devastating Windows Server vulnerability dubbed “Zerologon” — ostensibly patched by Microsoft on August 11 — continues to reverberate, with the US Cybersecurity and Infrastructure Security Agency (CISA) warning US government agencies Friday that they have four-days to implement the patch.
That CISA feels it needs to do so — over a month after the CVSS 10-rated bug was fixed by Microsoft in a software update — is itself a worrying sign that critical patches are not being widely implemented across the government estate. (The patch is a temporary mitigation, with a full fix not due until early 2021. Several end-users have warned that the fix breaks other critical programmes, including VPNs).
There seems to be quite some questions and confusion about the impact of exploiting Zerologon (CVE-2020-1472) on the environment. So here's a thread 👇
— Dirk-jan (@_dirkjan) September 16, 2020
The emergency directive comes as over 200 public sector entities in the US have been hit by ransomware this year (according to data tracked by security firm Emsisoft) and days after CISA warned government agencies that they had 30 days to get a security vulnerability disclosure process in place, as the agency moves to tighten security processes across a sprawling, fragmented government IT estate.
The vulnerability, CVE-2020-1472, is the second CVSS 10 (the highest possible score for a software vulnerability in the CVSS framework) vulnerability in Windows Server reported over the summer, following the “SigRED” bug (CVE 2020-1350).
That flaw — which saw saw over 20 of the Fortune 500 exposed — was identified by Check Point, which noted that successful exploitation could gives domain admin privileges and could “compromise your entire corporate infrastructure.”
What is the Zerologon Windows Server Vulnerability?
CISA’s warning comes a week after a working proof of concept (PoC) that lays out how to carry out a Zerologon attack was posted on GitHub by security researcher Dirk-jan Mollenma. The vulnerability, if exploited, lets an attacker change a computer’s password on the domain controller’s Active Directory (a database of all computers joined to a domain, and their passwords) giving full control of the AD domain.
Regarding Zerologon: you *must* prioritize patching over detection with this kind of bug.
Once an attacker owns your DC, their persistence options far exceed what even the most advanced organizations can hope to recover from.
An ounce of patching is worth 10 tons of response.
— Andy Robbins (@_wald0) September 19, 2020
The bug is in Microsoft Windows Netlogon Remote Protocol (MS-NRPC) and can be exploited in approximately three minutes, Red Teamers say.
It was identified by security firm Secura, which noted in a September 11 whitepaper that the bug is “due to incorrect use of an AES mode of operation [which means] it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain.”
Microsoft said the August 11 patch needs to be deployed to all applicable domain controllers (DCs), including read-only domain controllers (RODCs).
“After deploying this update patched DCs will:
- “Begin enforcing secure RPC usage for all Windows-based device accounts, trust accounts and all DCs.
- “Log event IDs 5827 and 5828 in the System event log, if connections are denied.
- “Log event IDs 5830 and 5831 in the System event log, if connections are allowed by “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
- “Log event ID 5829 in the System event log whenever a vulnerable Netlogon secure channel connection is allowed. These events should be addressed before the DC enforcement mode is configured or before the enforcement phase starts on February 9, 2021.
Full guidance from Microsoft is here.