ZeroLogon – Cybersecurity vulnerability update

by David Kasabji, Cybersecurity Analyst

All who have a keen interest in Cybersecurity might already read about the CVE-2020-1472 which was published on 11.08.2020. However, although it was clear that this is a critical vulnerability (it received a CVSS score of 10.0 from Microsoft!) – I’ve felt there was not enough exposure to this then it deserves.

I was reminded by our friends at SIQ (Matevž Mesojednik) that just a few days ago a sample code got available on GitHub. However, this is not to be considered as complete working PoC exploit, but rather it can be used to test whether your DCs are vulnerable to the exploit. But it is public and it can be used by malicious actors to transform it easily into malicious code.

On twitter, there are already quite a few posts that share their own versions of PoC which can be used.

What it does

The attack takes advantage of flaws in cryptographic authentication protocol that proves the authenticity and identity of a domain-joined computer to the DC. Due to incorrect use of an AES mode of operation, it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain
Secura, Whitepaper

The cryptographic flaw is not enforcing Secure NRPC like NetLogon signing and sealing. Clients can omit the Flag in

NetrServerAuthenticate3 call to not perform signing and sealing, which will be allowed.

For a detailed explanation please refer to the whitepaper link provided above.

What it means

In other words, this means that an attacker who is able to set up a TCP connection to vulnerable DCs, can exploit this vulnerability. So no domain credentials are needed at all. For example, an attacker could also simply plug in a device to an on-premise network port and perform the attack successfully – that’s it. No credentials needed.

What you should do

The patch which addresses this problem by enforcing Secure NRPC (e.g. NetLogon signing and sealing) was released on the 11th of August 2020. In February 2021 Microsoft will start to enforce Secure NRPC for all devices, requiring Administrators to update, decommission or whitelist devices that do not support Secure NRPC beforehand.

  1. Be sure to install the updates released on the August 2020 MS Patch
  2. After installing the security updates, you can deploy Domain Controller enforcement mode now or wait for the Q1 2021 update. Be cautious with this, as this can break stuff! Read more here.: https://support.microsoft.com/kb/4557222

If you install only the August patch you are still protected from the vulnerability, but would still need to monitor for any potential issue that the update might cause.

Conclusion

It is surprising that this did not get much attention until just recently, even though the vulnerability was known for a month now. By spreading the word, more IT administrators will be able to patch their environments and protect their assets. We must be also aware that this patch could cause some potential issues in IT environments once applied since significant testing could not have happened in such a short time period. So keep monitoring your assets once applying this patch and read the Microsoft KB linked in this blog to understand how to adhere to the new Secure NRPC as soon as possible.

Contact
Contact us now