IT administrators are urged to apply Microsoft’s August patch update as quickly as possible
A severe vulnerability, patched in Microsoft’s August Patch Tuesday, can be exploited by attackers to hijack enterprise servers due to cryptographic weaknesses in Netlogon.
Tracked as CVE-2020-1472 and issued a CVSS rating of 10.00, the highest critical impact score possible, the bug is described as a “privilege escalation vulnerability” caused by attackers “establishing a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC)”.
Dubbed Zerologon, the vulnerability was discovered by Secura’s Tom Tervoort. The cybersecurity researcher has found similar issues in Netlogon before – including CVE-2019-1424, a security bypass flaw that enabled remote local administrator access to domain-joined Windows machines – but the latest Netlogon security issue is far more severe.
Netlogon is an authentication protocol that verifies users and services by way of a secure channel forged between a machine and a domain controller.
This Windows service is a background process and is critical for authentication on networks.
Tervoort uncovered a cryptographic authentication flaw in the Netlogon Remote Protocol, according to a blog post.
No credentials required
The Netlogon Remote Protocol is used to change or replicate account credentials and passwords within a domain, as well as maintain user domain controller (DC) relationships.
According to Secura’s technical paper examining the vulnerability, all an attacker needs is a foothold into a network to establish a link to a domain controller using MS-NRPC. No credentials are required to perform an attack.
The protocol uses a custom encryption scheme between a client and a server to prove a shared secret, which happens to be the hash of a client machine’s account password.
Two versions of a cryptographic process used to generate credential values exist, one based on 2DES and a more modern version based on AES. Their implementation depends on which flags are set by a user.
The vulnerability exists in the newest encryption protocol and is caused by the incorrect use of an AES operational mode, which permits attackers to “spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain”, the paper reads.
After filling an empty password with zeros, for example, an on-premise attacker can impersonate any PC, infiltrate or set themselves as a domain controller, and execute remote procedure calls, change passwords, and overall completely compromise a Windows domain.
Microsoft’s CVE-2020-1472 security advisory notes that the critical security flaw is being addressed in a two-stage rollout – an unusual move in itself, but required due to the scope of the vulnerability.
The first update, released in August’s Patch Tuesday, mitigates the worst of the damage and is deemed “sufficient” by Secura in blocking high-impact exploitation by implementing previously optional security measures in Netlogon.
Due to roll out in Q1 2021, the second stage will tighten restrictions further – but is also a more complicated affair. According to the security firm, users of “third-party devices and software” may experience disruption or breakage, but no further details have been released.
Domain controllers should be patched as soon as possible. Secura has also published a tool on GitHub that administrators can run to see if a domain controller is vulnerable.
The Daily Swig has reached out to Secura with additional queries and will update this story accordingly.