In the update package that Microsoft released in August, the company included a patch for a critical privilege escalation vulnerability (CVE-2020-1472) in the Netlogon authentication service called Zerologon, a service that, among other things, handles the modification of passwords for user accounts on Active Directory domain controllers. If successfully exploited, an unauthenticated attacker would be able to compromise an entire Windows network by being able to escalate privileges and access with domain administrator permissions and once here he could modify user passwords and execute the commands he wants.
In Microsoft’s risk rating for security issues, Zerologon scored 10 out of 10, the highest score. Just knowing this, we already have more than enough reasons to stop whatever else we are doing and go, immediately, to install the patches that, fortunately, have already been published, and that allow us to solve the problem, the great problem that this represents security hole that was made public last Friday.
The finding was made by the cybersecurity company Secura, which has published a document explaining the nature of Zerologon and, even more importantly, the risks posed by this threat and which, very briefly, translate into that an attacker can, from scratch, simply by being on the local network where the server is located, escalate privileges to become an administrator of the managed domain on the attacked machine.
What does Zerologon do
Zerologon relies on flaws in the implementation of encryption in Netlogon, the Windows Server process that authenticates users and other services within a domain. A key element, therefore, in server security, and that when compromised, jeopardizes the security of the entire system. And in case you are wondering about its complexity, Experts describe Zerologon like this:
By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password.
Due to its danger, there are several official institutions that, such as the US Cybersecurity and Infrastructure Security Agency (CISA), have issued emergency directives, urging the update of all Windows Server installations that may be affected by Zerologon.
It is tremendously unusual for the Department of Homeland Security (DHS) to impose deadlines and such strict ones for all federal agencies to update their systems beyond issuing safety recommendations or directions. This is one more, and very clear, sign of the risks associated with Zerologon, and even more so now that it has been made public and in complete safety, a legion of cybercriminals will be conducting the first tests to try to exploit this vulnerability.
