A recent vulnerability on Netlogon patched in the Microsoft August Patch Tuesday was a nightmare, reaching a CVSSv3 score of 10.0. The vulnerability dubbed as ‘Zerologon,’ also identified as CVE-2020-1472, could allow attackers to hijack the Windows domain controller. All an attacker requires is local network access, which is also why it cannot be performed directly over the internet. However, if an attacker sets their foothold in the target environment, they can change the administrator password on any Windows Domain Controller they can reach.
According to Satnam Narang, Staff Research Engineer Security Response, Tenable, “This scenario [attacker exploiting a vulnerability to reset the password of the domain administrator on an organization’s domain controller] is a game over situation for any organization.”
“The impact of the flaw is limited to an attacker who has already gained a foothold inside an organization’s network. Despite this limitation, an attacker could leverage any number of existing unpatched vulnerabilities to breach its target network before pivoting to compromise the vulnerable domain controller. Additionally, we foresee this flaw being a compelling addition to the toolkit of ransomware gangs, who have already wreaked havoc on private organizations, educational institutions, and governments over the last few years,” Narang said.
The Second Wave, Only Deadlier
The vulnerability was discovered by Secura’s security expert Tom Tervoort, who had also discovered the Netlogon vulnerability last year. In comparison to the current one, the earlier vulnerability was less severe. A blog by Secura also noted that Tervoort, after forging an authentication token for specific Netlogon functionality, was able to call a function to set the computer password of the Domain Controller to a known value.
According to Secura, “The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.”
Exploit Scripts are Already Available on GitHub
Everybody is urged to install the patch on all their domain controllers as soon as possible. “As we’ve already seen, several exploit scripts for this vulnerability are published to GitHub, which provides a blueprint for defenders and attackers; we strongly encourage organizations to apply the patches provided by Microsoft immediately. If your domain controllers are running unsupported versions that are no longer receiving security updates from Microsoft, it is imperative to upgrade those as soon as possible.” Narang added.