In the realm of cybersecurity, administrators of Windows Server systems must prioritize the installation of recent Microsoft patches, particularly one that addresses a critical vulnerability enabling unauthorized access to domain controllers. Identified as “Zerologon” (CVE-2020-1472) and unveiled by Tom Tervoort of Secura, this privilege escalation vulnerability arises from inadequate AES-CFB8 encryption usage in Netlogon sessions, permitting remote attackers to connect to the targeted domain controller via the Netlogon Remote Protocol (MS-NRPC).
This vulnerability leverages deficiencies in the authentication protocol that verifies the identity of a domain-joined computer to the Domain Controller. Due to improper AES mode implementation, an attacker can impersonate any computer account—including that of the Domain Controller—and reset its password to an empty value, according to researchers from cybersecurity firm Cynet. This attack sequence undermines the integrity of account validation processes intrinsic to domain security.
Initially disclosed during Microsoft’s August patch release, Zerologon gained heightened urgency when researchers subsequently shared technical specifics and proof-of-concept exploits. Both the Indian and Australian governments, alongside the United States Cybersecurity and Infrastructure Security Agency (CISA), issued emergency directives urging immediate remediation of Zerologon vulnerabilities on Windows Servers.
CISA emphasized that by dispatching a series of Netlogon messages filled with zero values, a would-be attacker could modify the computer password for the domain controller stored within Active Directory (AD). This access could facilitate the acquisition of domain admin credentials, thereby allowing the attacker to reset the original DC password. The vulnerability, which carries a CVSS score of 10.0—indicative of critical severity—poses a significant threat, especially to federal civilian agencies deemed vulnerable.
Secura outlined a theoretical exploitation sequence that includes spoofing client credentials, disabling Remote Procedure Call (RPC) signing, and ultimately changing AD passwords for both the computer and domain admin accounts. Due to the critical status of this vulnerability, it underscores potential adversary tactics mapped in the MITRE ATT&CK framework, including privilege escalation and initial access strategies.
For organizations unable to promptly apply the necessary updates, CISA advises detaching any impacted domain controllers from network infrastructure as a preventive measure. Additionally, vulnerabilities in Samba versions 4.7 and below further broadens the scope of risk, prompting updates from the developers of this SMB networking protocol for Linux systems.
Cynet has contributed valuable diagnostic tools to aid in identifying active exploitation. This includes recommendations for monitoring specific memory patterns in the lsass.exe process, as well as alerts for abnormal network traffic between instances of the process. Notably, Windows Event ID 4742, indicating any changes to computer accounts, serves as a critical artifact to demonstrate suspicious activity, particularly when coupled with Event ID 4672 which highlights special privilege assignments.
For organizations intent on averting potentially devastating breaches, the deployment of the latest Microsoft patch remains a critical step. Cybersecurity vigilance, coupled with proactive measures and rapid intervention protocols, is essential in mitigating the risks posed by vulnerabilities such as Zerologon.