Microsoft has patched a severe bug in August that has been named as Zerologon by the researchers, which when exploited could let attackers take over Windows Servers running as domain controllers in enterprise networks.
The bug which has been tracked as CVE-2020-1472 flaw is an elevation of privilege that resides in the Netlogon which is an Authentication Mechanism used in the Windows Client Authentication Architecture that verifies logon requests, and it registers, authenticates, and locates Domain Controllers.
According to an advisory published by Microsoft, an elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
Technical details of the vulnerability were not issued by Microsoft, but researchers at Secura B.V, a Dutch security firm, published a detailed analysis of the flaw.
According to Secura experts, Zerologon, takes advantage of a weak cryptographic algorithm used in the Netlogon authentication process.
This bug allows an attacker to manipulate Netlogon authentication procedures and:
- impersonate the identity of any computer on a network when trying to authenticate against the domain controller
- disable security features in the Netlogon authentication process
- change a computer’s password on the domain controller’s Active Directory (a database of all computers joined to a domain, and their passwords)
The bug was named Zerologon, as the attack is done by adding zero characters in certain Netlogon authentication parameters.
This attack has a huge impact as it allows any attacker on the local network to completely compromise the Windows domain. The attack is completely unauthenticated.
The ZeroLogon attack could be exploited by threat actors to deliver malware and ransomware on the target network.
There are no limits to how an attacker can use the Zerologon attack. For example, the attacker could disguise as the domain controller itself and change its password, allowing him to take over the entire corporate network.
The only limitation on how to carry out a Zerologon attack is that the attacker must have access to the target network.
August 2020 Patch Tuesday security updates only temporarily address the vulnerability. This temporary patch made the Netlogon security features mandatory for all Netlogon authentications, effectively breaking Zerologon attacks. A more complete patch is scheduled for February 2021.
Secura researchers released a Python script that uses the Impacket library to test vulnerability for the Zerologon exploit, it could be used by admins to determine if their domain controller is still vulnerable.
Image Credits : Kratikal