On Monday, The Cybersecurity and Infrastructure Agency (CISA) warned that it has seen publicly available code for CVE-2020-1472. Called Zerologon and discovered by Tom Tervoort at Secura, Zerologon is rated a perfect 10 under the CVE scoring system.
According to Secura: “In order to mitigate this issue, it is highly recommended to install Microsoft’s August 2020 security patches on all Active Directory domain controllers. Leaving a DC unpatched will allow attackers to compromise it and give themselves domain admin privileges. The only thing an attacker needs for that is the ability to set up TCP connections with a vulnerable DC; i.e. they need to have a foothold on the network, but don’t require any domain credentials.”
Why is Zerologon a concern?
In brief, it is arguably one of the simplest and most effective ways of taking ownership of a corporate network. Tervoort describes how the Netlogon protocol works in his paper. He then shows how Zerologon takes advantages of weaknesses in the cryptographic algorithm used by the Netlogon authentication process.
In simple terms:
- Walk into a building
- Plug into a network port
- Send a small piece of code across the network
- Own the network.
Got it? If not, someone who wants to attack your network will. Tervoort says it will take around three minutes. Enterprise Times has not tested to see if Zerologon works over WiFi, but there is no reason to think it won’t.
Tervoort concludes in the Secura paper: “By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password.
“This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain. The attack is completely unauthenticated: the attacker does not need any user credentials.”
It is important to read the last paragraph carefully. On recent visits to a medical facility and a retailer, there were plenty of open sockets. Most convention centres provide network access for exhibitors and media. All of these are just open sockets placed around the building. All of these would be easy to compromise with this attack.
Patch now or pay later
That patch mentioned by Tervoort will stop Zerologon. However, Microsoft has said that this is just part one of two. The second part of the patch is expected on or after February 2021. That patch will enforce some optional security already available in Windows Server. However, there is a real possibility that it will cause problems with some older devices and how they authenticate themselves on the network. Microsoft has delayed that second part of the patch to help organisations test.
While Microsoft has worked hard to make sure organisations apply patches automatically, it cannot force the issue. Many large corporates have processes that mean patches take time. In this case, however, they have no time. Proof-of-concept (PoC) code for Zerologon is available now!
For those organisations who have not applied the August patch, the situation has now escalated. In the last week, several people have published working proof-of-concept (PoC) code for Zerologon. On Monday security researcher Dirk-jan Mollenma published his PoC on GitHub, and it works!
Satnam Narang, Staff Research Engineer, Tenable said: “As we’ve already seen several exploit scripts for this vulnerability published to GitHub, which provides a blueprint for defenders and attackers, we strongly encourage organisations to apply the patches provided by Microsoft immediately.
“If your domain controllers are running unsupported versions that are no longer receiving security updates from Microsoft, it is imperative to upgrade those as soon as possible.”
Enterprise Times: What does this mean?
Yet again, this is an attack with the most serious of consequences that has been just waiting to be discovered. Tervoort has already discovered other issues with Netlogon when it comes to Person in the Middle (PitM) attacks. He was looking for more issues when he stumbled across this one.
In the report, Tervoort muses that the reason Microsoft has not addressed this issue previously is for backward compatibility. This is, and has been for some time, Microsoft’s Achilles heel. Back in 2000, it refused to put any of its products through the Certified for Windows 2000 tests. This was because its code, at the time, continued to support deprecated technology and would have failed the certification tests.
When asked at the time, Microsoft admitted that it couldn’t remove the technology because it would break some applications. It felt that its responsibility to backward compatibility was too important to its customers. The problem is that fast forward two decades and that decision has proven several times to have been a bad one.
Two questions need to be answered. How long will it take for the majority of Windows Servers to be patched against Zerologon? The second is, what else is hiding deep in Microsoft’s code just waiting for its moment to bite?
For now, if you run Microsoft Windows Server, you need to make sure you apply this patch. No ifs, no buts, just patch.