It was revealed this week that Microsoft patched a major vulnerability last month. The problem has an ID CVE-2020-1472 and bears the name Zerologon. The bug allows hijacking Windows servers acting as domain controllers in corporate networks.
In August 2020, the issue was described as a privilege escalation in Netlogon, scoring 10 out of 10 on the CVSS vulnerability rating scale. However, details of the vulnerability were not disclosed at the time.
Now the specialists of the Dutch company Secura BV, who initially discovered the bug, published a report with its detailed description, and it became clear that the Zerologon problem received such an assessment for a reason. A PoC exploit is not attached to the experts' report, but Python script, which can be used to verify that the domain controller is configured correctly.
In essence, the Zerologon vulnerability relies on a weak cryptographic algorithm used in the Netlogon authentication process. The problem was named Zerologon, as the attack is carried out by adding zeros to certain Netlogon authentication parameters, as seen in the illustration above. As a result, the bug allows an attacker to manipulate authentication, namely:
- impersonate any computer on the network during authentication with a domain controller;
- disable security mechanisms during Netlogon authentication;
- change the computer password in the Active Directory domain controller.
The researchers emphasize that such an attack can take a maximum of three seconds. In addition, there are practically no restrictions on the attack: for example, an attacker can impersonate a domain controller and change the password, which will allow him to take over the entire corporate network.
Fortunately, Zerologon cannot be used remotely, which means that an attacker must first somehow penetrate the company's network and gain a foothold there. However, if this happens, Zerologon carries a huge risk. For example, such a bug can be very useful for ransomware operators, who often start an attack by infecting just one computer on a company's network and then try to spread their influence over the entire network.
“This attack has a huge impact,” write the experts at Secura BV. "In essence, it allows any attacker on the local network (for example, an insider or whoever connected a device to a local network port) to completely compromise a Windows domain."
Patching Zerologon has proven to be a daunting task for Microsoft. The fact is that the company's engineers had to change the way that billions of devices use to connect to corporate networks. As a result, the process of fixing the bug was divided into two stages: the first stage was already completed in August 2020, when Microsoft released an interim fix. This temporary patch made the Netlogon security mechanisms (which Zerologon disabled) mandatory for all authentication operations, effectively preventing attacks.
The release of a more complete patch for Zerologon is scheduled for February 2021, in case attackers still find a way to bypass the August fixes. Sorry Microsoft expectthat the second patch will inevitably cause authentication problems on some devices.