Critical Privilege Escalation Exploit ‘Zerologon’; Have You Patched?
15 September 2020
In August 2020, Microsoft began patching a critical privilege escalation exploit in Windows Server (CVE-2020-1472). Codenamed Zerologon, it allows an attacker to become a domain admin, even without any credentials. The vulnerability received the maximum severity rating of 10.
Zerologon is launched from within the target network, such as using a compromised machine or malicious insider. It exploits a bug in the implementation of Windows Server’s Netlogon service. Netlogon’s authentication uses AES in AES-CFB8 mode. However, it fails to randomly initialise the initial vector. This allows a chosen-plaintext attack to take place, which can lead to an attacker:
- impersonating any machine on the network when authenticating against the domain controller;
- changing a machine’s password on the domain controller’s Active Directory;
- disabling signing and encryption, and spoofing calls to the Netlogon service;
- and taking control of the domain controller, escalating themselves to domain administrator.
Furthermore, when an attacker changes a machine’s password, it only changes in the Active Directory. The machine will then no longer be able to authenticate against Active Directory and fallback to using locally cached credentials until manually resynchronised. This can leave a machine vulnerable to cache manipulation, and thus additional risk from standing privileges.
We recommend patching CVE-2020-1472 on an emergency basis. A further patch is expected Q1 2021; please refer to Microsoft’s advisory.
A list of almost 50,000 Fortinet VPN devices vulnerable to CVE-2018-13379 has been leaked to a hacker forum. Researchers have commented that slow patching procedures have left a large number of organisations vulnerable to the two-year-old exploit.
It is by understanding the biggest risks to your sector, that you will understand the most effective ways of managing those risks. And with healthcare becoming one of the most vulnerable and highly-targeted industries in the world – it’s time we addressed the issue…
Secrutiny, a cybersecurity managed services company and incident response specialist, expands into Europe via Dutch subsidiary. Headquartered in Amsterdam, led by regional managing director Patrick van Arendonk, Secrutiny NL will be the company’s first office in continental Europe.