Threat Alert

by IthacaLabs™

THREAT LEVEL/High 25/09/2020

New Critical ZeroLogon Windows Server Vulnerability

Threat Level Description

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that a new critical vulnerability within Microsoft’s Windows Netlogon Remote Protocol (MS-NRPC), has been identified.

This flaw (CVE-2020-1472), named “Zerologon”, is a privilege escalation vulnerability that exists due to the insecure usage of AES-CFB8 encryption for Netlogon sessions.

The Netlogon Remote Protocol (also called MS-NRPC) is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel.

The exploitation of this vulnerability utilizes flaws in the authentication protocol that validates the authenticity and identity of a domain-joined computer to the Domain Controller. Due to the incorrect use of an AES mode of operation, it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain.

Thus, “Zerologon” could allow remote unauthenticated attackers to run a specially crafted application on a device of the network, achieving privilege escalation, by establishing a vulnerable Netlogon secure channel connection to a domain controller.

Note that the Samba (an implementation of SMB networking protocol for Linux systems) versions 4.7 and below are also vulnerable to the “Zerologon” flaw.

CVE(s)

CVE-2020-1472

BASE SCORE: 9.3 High

VECTOR: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’.

Affected Systems

  • Netlogon Remote Protocol (MS-NRPC)

Recommendation(s)

You should immediately proceed and install the latest software update from the vendor and apply the relevant security patches.

System Administrators can test if their network is vulnerable to “Zerologon”, by using this script:
(https://github.com/SecuraBV/CVE-2020-1472)

Note that if affected domain controllers cannot be updated, it is suggested that they should be removed from the network.

You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

References

Get the latest Threat Alerts in your inbox.