Zerologon problem allows capturing Windows servers on corporate networks

It was revealed this week that Microsoft patched a major vulnerability last month. The problem is identified as CVE-2020-1472 and is named Zerologon. The bug allows capturing Windows servers that act as domain controllers in corporate networks.

In August 2020, the issue was described as a privilege escalation in Netlogon, scoring 10 out of 10 on the CVSS vulnerability rating scale. However, details of the vulnerability were not disclosed at the time.

Now the specialists of the Dutch company Secura BV, who initially discovered the bug, published a report with its detailed description, and it became clear that the Zerologon problem reasonably received such assessment. There is no PoC exploit attached to the experts’ report, but attached Python script can be used to check the correctness of the domain controller configuration.

Zerologon capturing Windows servers
clickable

In fact, the Zerologon vulnerability relies on a weak cryptographic algorithm used in the Netlogon authentication process. The problem was named Zerologon, as the attack is carried out by adding zeros to certain Netlogon authentication parameters, as seen in the illustration above. As a result, the bug allows an attacker to manipulate authentication, namely:

  • impersonate any computer on the network during authentication with a domain controller;
  • disable security mechanisms during Netlogon authentication;
  • change the computer password in the Active Directory domain controller.

The researchers emphasize that such an attack can take a maximum of three seconds. In addition, the attack has practically no restrictions: for example, an attacker can impersonate a domain controller and change the password, which will allow him to take over the entire corporate network.

Fortunately, Zerologon cannot be used remotely, which means that an attacker must first somehow penetrate the company’s network and gain a foothold there. However, if this happens, Zerologon carries a huge risk. For example, such a bug can be very useful for ransomware operators, who often start an attack by infecting just one computer in a company’s network and then try to spread their influence over the entire network.

“This attack has a huge impact,” write the experts at Secura BV. “In essence, it allows any attacker on the local network (for example, an insider or person that connected a device to a local network port) to completely compromise a Windows domain.”

Patching Zerologon has proven to be a daunting task for Microsoft. The fact is that the company’s engineers had to change the way that billions of devices use to connect to corporate networks. As a result, the process of fixing the bug was divided into two stages: the first stage was already completed in August 2020, when Microsoft released an interim fix. This temporary patch made the Netlogon security mechanisms (which Zerologon disabled) mandatory for all authentication operations, effectively preventing attacks.

The release of a more complete patch for Zerologon is scheduled for February 2021, in case attackers still find a way to bypass the August fixes. Unfortunately, Microsoft expects that the second patch will inevitably cause authentication problems on some devices.

Let me remind you that in September Microsoft Patch Tuesday Addresses 129 Vulnerabilities, Including More Than 20 Critical Ones, and a month earlier Microsoft patched two 0-day vulnerabilities that were under attacks.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

three Iranian hackers

US Department of Justice accuses three Iranian hackers of hacking aerospace companies

The US Department of Justice has filed charges in absentia against three Iranian hackers suspected …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.