If you’re administering Windows Server, make sure it’s up to date with all the recent patches announced by Microsoft, especially the one that patches a recently patched critical vulnerability that could allow undocumented attackers to compromise the domain manager.
Called ‘Zerologon’ (CVE-2020-1472) and discovered by Tom Tervoort of Secura, the debugging vulnerability exists because of the insecure use of AES-CFB8 encryption for Netlogon sessions, allowing for remote attackers to establish a connection with the targeted domain controller. over Netlogon Remote Protocol (MS-NRPC).
“The attack uses flaws in an authentication protocol that validates the authenticity and identity of a domain-linked computer for the Domain Manager. Due to the incorrect use of the AES approach, it is possible to distract any computer account including one the DC itself) and set a blank password for that account in the domain, ”researchers at cybersecurity firm Cynet explain in a blog post.
Although the vulnerability, with a CVSS score of 10.0, was first revealed to the public when Microsoft released a piece for it in August, it quickly became a concern after researchers published technical details and a proof-of-concept of the deficit last week. .
Along with the Government agencies of India and Australia, the US Cyber Security and Infrastructure Security Agency (CISA) issued an emergency directive directing federal agencies to patch Zerologon defects on Windows Servers immediately.
“By sending multiple Netlogon messages where different domains are filled with zero, an unaltered attacker could change the domain controller’s computer password stored in the AD. This can then be used to obtain domain admin references and then restore the original DC password, “the consultants say.
According to Secura, the said deficit can be exploited in the following sequence:
- Spoofing the client’s credential
- Disable RPC Signing and Sealing
- Spoofing call
- Change Computer HR Password
- Change Domain Admin Password
“CISA has determined that this vulnerability presents an unacceptable risk to the Federal Civilian Executive Branch and requires immediate and emergency action.”
“If affected domain controllers cannot be updated, make sure they are removed from the network,” advised CISA.
Furthermore, Samba – the implementation of the SMB networking protocol for Linux systems – versions 4.7 and lower is also vulnerable to Zerologon default. Now, a patch update for this software has also been announced.
Apart from explaining the root cause of the issue, Cynet also released details for some critical artifacts that can be used to detect active exploitation of the vulnerability, including a specific memory pattern in lsass.exe memory and an abnormal spike in lsass.exe traffic.
“The most documented artefact is Windows Event ID 4742 ‘Computer account changed’, often combined with Windows Event ID 4672 ‘Special privileges assigned to new login’.”
To let Windows Server users quickly detect related attacks, experts released a YARA rule that can detect attacks that occurred before use, but simple monitoring is also a simple tool available for download.
However, to completely patch the issue, users still recommend installing the latest software update from Microsoft as soon as possible.