Critical Privilege Escalation Exploit ‘Zerologon’; Have You Patched?

15 September 2020

In August 2020, Microsoft began patching a critical privilege escalation exploit in Windows Server (CVE-2020-1472).  Codenamed Zerologon, it allows an attacker to become a domain admin, even without any credentials.  The vulnerability received the maximum severity rating of 10.

Zerologon is launched from within the target network, such as using a compromised machine or malicious insider.  It exploits a bug in the implementation of Windows Server’s Netlogon service.  Netlogon’s authentication uses AES in AES-CFB8 mode.  However, it fails to randomly initialise the initial vector.  This allows a chosen-plaintext attack to take place, which can lead to an attacker:

  • impersonating any machine on the network when authenticating against the domain controller;
  • changing a machine’s password on the domain controller’s Active Directory;
  • disabling signing and encryption, and spoofing calls to the Netlogon service;
  • and taking control of the domain controller, escalating themselves to domain administrator.

Furthermore, when an attacker changes a machine’s password, it only changes in the Active Directory.  The machine will then no longer be able to authenticate against Active Directory and fallback to using locally cached credentials until manually resynchronised.  This can leave a machine vulnerable to cache manipulation, and thus additional risk from standing privileges.

We recommend patching CVE-2020-1472 on an emergency basis.  A further patch is expected Q1 2021; please refer to Microsoft’s advisory.

Is Remote Work Facilitating Malicious Actors?

Is Remote Work Facilitating Malicious Actors?

The increasing dependence on remote working has led to an exponential rise in phishing and social engineering attacks, as Google data reveals 350% surge in phishing websites during the pandemic. We discuss phishing, social engineering and business network manipulation, and how organisations can better prepare themselves.