Microsoft engineers warn that hackers have begun to exploit the Zerologon (CVE-2020-1472), corrected as part of the August "update Tuesday".
Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.
Many experts call Zerologon the most dangerous mistake of the year, and last weekend the US Department of Homeland Security gave the federal agencies of the country three days for an urgent bug fixotherwise, threatening to disconnect from federal networks.
In August 2020, this issue was described as a privilege escalation in Netlogon, scoring 10 out of 10 on the CVSS vulnerability rating scale. However, details of the vulnerability were not disclosed at the time. Only in the middle of this month, experts from the Dutch company Secura BV revealed details about Zerologon, and soon appeared on the network first PoC exploits…
In essence, the Zerologon vulnerability relies on a weak cryptographic algorithm used in the Netlogon authentication process. The problem was named Zerologon, as the attack is carried out by adding zeros to certain Netlogon authentication parameters, as seen in the illustration above. As a result, the bug allows an attacker to manipulate authentication, namely:
- impersonate any computer on the network during authentication with a domain controller;
- disable security mechanisms during Netlogon authentication;
- change the computer password in the Active Directory domain controller.
“Microsoft is monitoring the activity of attackers using exploits for the vulnerability CVE-2020-1472 in Netlogon EoP, dubbed Zerologon. We have seen attacks in which publicly available exploits were incorporated into the attackers' strategy, ”the company representatives wrote on Twitter.
While Microsoft has yet to release details of the attacks, Microsoft has published file hashes exploits used in attacks.
In addition, at the beginning of this week it became known that Zerologon also poses a threat to Samba too under certain circumstances.
“The netlogon protocol contains an issue that allows you to bypass authentication. Microsoft reported this and fixed the issue identified as CVE-2020-1472. Since the bug was discovered at the protocol level, and Samba is working with its implementation, Samba is vulnerable as well.
However, starting with version 4.8 released in March 2018, Samba insists on secure logon by default, which is a sufficient means of countering known exploits. The defaults are equivalent to having server schannel = yes in the smb.conf file.
Therefore, versions 4.8 and above are not affected by the issue if they do not contain the smb.conf server schannel = no or server schannel = auto lines. Samba 4.7 and earlier are vulnerable if server schannel = yes is not specified in smb.conf.
Please note that each domain controller requires correct smb.conf settings, ”the developers warned.