Critical Privilege Escalation Exploit ‘Zerologon’; Have You Patched?
15 September 2020
In August 2020, Microsoft began patching a critical privilege escalation exploit in Windows Server (CVE-2020-1472). Codenamed Zerologon, it allows an attacker to become a domain admin, even without any credentials. The vulnerability received the maximum severity rating of 10.
Zerologon is launched from within the target network, such as using a compromised machine or malicious insider. It exploits a bug in the implementation of Windows Server’s Netlogon service. Netlogon’s authentication uses AES in AES-CFB8 mode. However, it fails to randomly initialise the initial vector. This allows a chosen-plaintext attack to take place, which can lead to an attacker:
- impersonating any machine on the network when authenticating against the domain controller;
- changing a machine’s password on the domain controller’s Active Directory;
- disabling signing and encryption, and spoofing calls to the Netlogon service;
- and taking control of the domain controller, escalating themselves to domain administrator.
Furthermore, when an attacker changes a machine’s password, it only changes in the Active Directory. The machine will then no longer be able to authenticate against Active Directory and fallback to using locally cached credentials until manually resynchronised. This can leave a machine vulnerable to cache manipulation, and thus additional risk from standing privileges.
We recommend patching CVE-2020-1472 on an emergency basis. A further patch is expected Q1 2021; please refer to Microsoft’s advisory.
The increasing dependence on remote working has led to an exponential rise in phishing and social engineering attacks, as Google data reveals 350% surge in phishing websites during the pandemic. We discuss phishing, social engineering and business network manipulation, and how organisations can better prepare themselves.
Remote Work at Risk: Over 160% Rise in Use of High-Risk Apps and Websites with 64% of Workers Now Remote
The latest 2020 Edition of the Netskope Cloud and Threat Report, reveals a massive shift in user behaviour, specifically the trend of personal use of managed devices, and the increased risk that comes with this shift.
Microsoft’s September Patch Tuesday fixes 129 security holes (23 of which are rated ‘critical’) in numerous versions of its Windows operating system and related software. One of the more critical patches could allow remote code execution by sending an email to a victim.