On September 11, 2020 Secura, a digital security advisor company discovered and announced the Microsoft “Zerologon” or “NetLogon” vulnerability, with a Common Vulnerability Scoring System (CVSS) score of 10.0 of 10.0 making it critically severe [1]. “An attacker who successfully exploits the vulnerability could run a specially crafted application on a device on the network” [2]. There has been no specific version of Windows this vulnerability applies to; therefore, which ever version that is being use an update is highly recommended.
Vulnerability
The “Zerologon,” is a privilege-escalation glitch, specifically, the issue exists in the usage of AES-CFB8 encryption for Netlogon sessions. The standard requires that each “byte” of plaintext have a randomized initialization vector (IV), to prevent the attackers from guessing passwords. However, Netlogon’s Compute Netlogon Credential function had the IV at a set fixed 16 bits not making the necessary randomized which give the attacker possible control of the deciphered text [3].
Impact
This vulnerability gives any attacker access to the domain controller and can completely compromise the Windows domain if there is connection to the local network such as a malicious insider or someone plugged in on-premises network port. “The attack is completely unauthenticated: The attacker does not need any user credentials [4].”
Mitigation
A patch for the CVE-2020-1472 vulnerability is in the works however, in the meantime it is recommended that installing the August 2020 security patch updates on all domain controls to include (back-up and read-only). This will be sufficient to help block the “Zerologon” exploit until a patch is released for this vulnerability, which is expected sometime in February 2021. For any guidance for more information on the changes refer to Microsoft.
Relevance
Windows devices are used throughout the nation and with a vulnerability that gives an attack access or control of the domain controller means high risk for exploitation. Organization could run into the risk of network backups being destroyed from ransomware attacks and or malicious scripts.
References
[1] Secura, “Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)”, 11 September 2020. https://www.secura.com/blog/zero-logon