Critical Privilege Escalation Exploit ‘Zerologon’; Have You Patched?
15 September 2020
In August 2020, Microsoft began patching a critical privilege escalation exploit in Windows Server (CVE-2020-1472). Codenamed Zerologon, it allows an attacker to become a domain admin, even without any credentials. The vulnerability received the maximum severity rating of 10.
Zerologon is launched from within the target network, such as using a compromised machine or malicious insider. It exploits a bug in the implementation of Windows Server’s Netlogon service. Netlogon’s authentication uses AES in AES-CFB8 mode. However, it fails to randomly initialise the initial vector. This allows a chosen-plaintext attack to take place, which can lead to an attacker:
- impersonating any machine on the network when authenticating against the domain controller;
- changing a machine’s password on the domain controller’s Active Directory;
- disabling signing and encryption, and spoofing calls to the Netlogon service;
- and taking control of the domain controller, escalating themselves to domain administrator.
Furthermore, when an attacker changes a machine’s password, it only changes in the Active Directory. The machine will then no longer be able to authenticate against Active Directory and fallback to using locally cached credentials until manually resynchronised. This can leave a machine vulnerable to cache manipulation, and thus additional risk from standing privileges.
We recommend patching CVE-2020-1472 on an emergency basis. A further patch is expected Q1 2021; please refer to Microsoft’s advisory.
Microsoft’s September Patch Tuesday fixes 129 security holes (23 of which are rated ‘critical’) in numerous versions of its Windows operating system and related software. One of the more critical patches could allow remote code execution by sending an email to a victim.
Secrutiny Awarded Position on Crown Commercial Services “Cyber Security Services 3 Dynamic Purchasing System”
We are thrilled to announce that Secrutiny has been awarded a position on Crown Commercial Service’s Cyber Security Services 3 Dynamic Purchasing System (DPS).
With a large shift to remote working, coronavirus isn’t the only virus we have to worry about. We discuss CISO priorities amid COVID-19.